diff --git a/rules/windows/credential_access_forced_authentication_pipes.toml b/rules/windows/credential_access_forced_authentication_pipes.toml
new file mode 100644
index 00000000000..68e42be60b8
--- /dev/null
+++ b/rules/windows/credential_access_forced_authentication_pipes.toml
@@ -0,0 +1,74 @@
+[metadata]
+creation_date = "2024/07/23"
+integration = ["system", "windows"]
+maturity = "production"
+updated_date = "2024/07/23"
+
+[rule]
+author = ["Elastic"]
+description = """
+Identifies a potential forced authentication using related SMB named pipes. Attackers may attempt to force targets to
+authenticate to a host controlled by them to capture hashes or enable relay attacks.
+"""
+from = "now-9m"
+index = ["logs-system.security-*", "logs-windows.forwarded-*"]
+language = "eql"
+license = "Elastic License v2"
+name = "Potential Forced Authentication - SMB Named Pipes"
+references = [
+    "https://github.com/p0dalirius/windows-coerced-authentication-methods",
+    "https://www.thehacker.recipes/a-d/movement/mitm-and-coerced-authentications",
+    "https://attack.mitre.org/techniques/T1187/",
+]
+risk_score = 21
+rule_id = "73d05fd0-d73b-4625-aa2e-3221965aa2e3"
+setup = """## Setup
+
+The 'Audit Detailed File Share' audit policy must be configured (Success Failure).
+Steps to implement the logging policy with Advanced Audit Configuration:
+
+```
+Computer Configuration >
+Policies >
+Windows Settings >
+Security Settings >
+Advanced Audit Policies Configuration >
+Audit Policies >
+Object Access >
+Audit Detailed File Share (Success,Failure)
+```
+"""
+severity = "low"
+tags = [
+    "Domain: Endpoint",
+    "OS: Windows",
+    "Use Case: Threat Detection",
+    "Tactic: Credential Access",
+    "Data Source: Elastic Defend",
+    "Data Source: Active Directory",
+    "Use Case: Active Directory Monitoring",
+]
+timestamp_override = "event.ingested"
+type = "eql"
+
+query = '''
+sequence by host.id, source.ip, user.name with maxspan=1s
+[authentication where host.os.type == "windows" and event.action == "logged-in" and
+ winlog.event_data.AuthenticationPackageName : "NTLM" and winlog.event_data.SubjectUserSid == "S-1-0-0"]
+[file where host.os.type == "windows" and event.code == "5145" and file.name : ("Spoolss", "netdfs", "lsarpc", "lsass", "netlogon", "samr", "efsrpc", "FssagentRpc")]
+'''
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1187"
+name = "Forced Authentication"
+reference = "https://attack.mitre.org/techniques/T1187/"
+
+
+[rule.threat.tactic]
+id = "TA0006"
+name = "Credential Access"
+reference = "https://attack.mitre.org/tactics/TA0006/"
+