some false positives may occur from rmm software used in your environment. apply filters based on known legitimate rmm software in your environment to reduce false positives.

Techniques

Sample rules

Windows RMM Named Pipe

source: splunk
technicques:
- T1559
- T1021.002
- T1055

Description

The following analytic detects the creation or connection to known suspicious named pipes, which is a technique often used by offensive tools. It leverages Sysmon EventCodes 17 and 18 to identify known default pipe names used by RMM tools. If confirmed malicious, this could allow an attacker to abuse these to potentially gain persistence, command and control, or further system compromise.

Detection logic

`sysmon`
(EventCode=17 OR EventCode=18)
NOT process_path IN (
  "*:\\Program Files \(x86\)\\Adobe*",
  "*:\\Program Files \(x86\)\\Google*",
  "*:\\Program Files \(x86\)\\Microsoft*",
  "*:\\Program Files\\Adobe*",
  "*:\\Program Files\\Google*",
  "*:\\Program Files\\Microsoft*",
  "*:\\Windows\\system32\\SearchIndexer.exe",
  "*:\\Windows\\System32\\svchost.exe",
  "*:\\Windows\\SystemApps\\Microsoft*",
  "*\\Amazon\\SSM\\Instance*",
  "*\\AppData\\Local\\Google*",
  "*\\AppData\\Local\\Kingsoft\\*",
  "*\\AppData\\Local\\Microsoft*",
  "System"
)


| stats  min(_time) as firstTime max(_time) as lastTime
count by dest dvc process_exec process_guid process_id process_path signature signature_id 
vendor_product pipe_name user_id Image process_name


| lookup suspicious_rmm_named_pipes suspicious_pipe_name AS pipe_name OUTPUT tool, description

| where isnotnull(tool)

| `security_content_ctime(firstTime)`

| `security_content_ctime(lastTime)`

| `windows_rmm_named_pipe_filter`