Techniques
Sample rules
Windows Application Layer Protocol RMS Radmin Tool Namedpipe
- source: splunk
- technicques:
- T1071
Description
The following analytic detects the use of default or publicly known named pipes associated with the RMX remote admin tool. It leverages Sysmon EventCodes 17 and 18 to identify named pipe creation and connection events. This activity is significant as the RMX tool has been abused by adversaries and malware like Azorult to collect data from targeted hosts. If confirmed malicious, this could indicate unauthorized remote administration capabilities, leading to data exfiltration or further compromise of the affected system. Immediate investigation is required to determine the legitimacy of this tool’s presence.
Detection logic
`sysmon` EventCode IN (17, 18) EventType IN ( "CreatePipe", "ConnectPipe") PipeName IN ("\\RManFUSServerNotify32", "\\RManFUSCallbackNotify32", "\\RMSPrint*")
| stats min(_time) as firstTime max(_time) as lastTime count by Image EventType ProcessId PipeName dest UserID
| rename UserID as user
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_application_layer_protocol_rms_radmin_tool_namedpipe_filter`