LoFP LoFP / false positives may be present. filter based on pipe name or process.

Techniques

Sample rules

Windows Application Layer Protocol RMS Radmin Tool Namedpipe

Description

The following analytic detects the use of default or publicly known named pipes associated with the RMX remote admin tool. It leverages Sysmon EventCodes 17 and 18 to identify named pipe creation and connection events. This activity is significant as the RMX tool has been abused by adversaries and malware like Azorult to collect data from targeted hosts. If confirmed malicious, this could indicate unauthorized remote administration capabilities, leading to data exfiltration or further compromise of the affected system. Immediate investigation is required to determine the legitimacy of this tool’s presence.

Detection logic

`sysmon` EventCode IN (17, 18) EventType IN ( "CreatePipe", "ConnectPipe") PipeName IN ("\\RManFUSServerNotify32", "\\RManFUSCallbackNotify32", "\\RMSPrint*") 
| stats  min(_time) as firstTime max(_time) as lastTime count by dest dvc pipe_name process_exec process_guid process_id process_name process_path signature signature_id user_id vendor_product Image PipeName 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `windows_application_layer_protocol_rms_radmin_tool_namedpipe_filter`