This is evidence of privilege escalation through Named Pipe Impersonation.

Named Pipes have this great feature where the server can request an impersonation token. This token is usually used to ensure that users have the correct privileges to access the application on the other side of the Named Pipe.

An attacker can use these impersonation token to spawn a new process under the owner of the token. So in this case, a process would be spawned as System. This is a very common privilege escalation technique, so much so it's a default for Cobalt Strike and Metasploit.

But how can an attacker get System to write to a pipe?

Creating a service is the most common method of doing this. You can start a service with the command above to get it to write to an attacker controlled pipe. Therefore for additional evidence, we can look for service creation events. Sysmon Named Pipe events may also help detect the privilege escalation.