This rule is designed to detect the creation of default named pipes associated with CSExec, which is commonly used in lateral movement and remote execution attacks. Specifically, it identifies named pipes that contain the string '\csexecsvc', which is indicative of the CSExec service. To function as intended, it requires specific logging enabled through Sysmon, particularly Event IDs 17 and 18, which record named pipe events. To ensure detection accuracy, administrators should confirm that their Sysmon logging configuration aligns with recommended best practices available in repositories designed for this purpose. The rule has a medium severity level due to its potential to indicate malicious activity, but it also recognizes the risk of false positives, primarily from legitimate administrative actions that may use similar named pipes.