Windows Application Layer Protocol RMS Radmin Tool Namedpipe

Author: Teoderick Contreras, Splunk
Source: upstream

The following analytic detects the use of default or publicly known named pipes associated with the RMX remote admin tool. It leverages Sysmon EventCodes 17 and 18 to identify named pipe creation and connection events. This activity is significant as the RMX tool has been abused by adversaries and malware like Azorult to collect data from targeted hosts. If confirmed malicious, this could indicate unauthorized remote administration capabilities, leading to data exfiltration or further compromise of the affected system. Immediate investigation is required to determine the legitimacy of this tool's presence.

MITRE ATT&CK coverage

Tactic	Techniques
Command & Control	`T1071` Application Layer Protocol

Event coverage

Provider	Event ID	Title
Sysmon	17	PipeEvent (Pipe Created)
Sysmon	18	PipeEvent (Pipe Connected)

Stages and Predicates

Stage 1: `search`

search EventCode IN (17, 18) EventType IN ("ConnectPipe", "CreatePipe") PipeName IN ("\\RMSPrint*", "\\RManFUSCallbackNotify32", "\\RManFUSServerNotify32")

Stage 2: `stats`

stats BY dest, dvc, pipe_name, process_exec, process_guid, process_id, process_name, process_path, signature, signature_id, user_id, vendor_product, Image, PipeName

Stage 3: `search`

search

Stage 4: `search`

search

Stage 5: `search`

search `macro`

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

Field	Kind	Values
`EventCode`	in	`17` corpus 6 (splunk 6) `18` corpus 6 (splunk 6)
`EventType`	in	`"ConnectPipe"` corpus 4 (splunk 4) `"CreatePipe"` corpus 4 (splunk 4)
`PipeName`	in	`"\\RMSPrint*"` `"\\RManFUSCallbackNotify32"` `"\\RManFUSServerNotify32"`

Neighbors

Often fire together

Rules that target events appearing in the same incident timelines. They pattern-match on adjacent steps of the same TTP, so an alert from one is often paired with alerts from these. Useful for triage context and for assembling chained-detection rules.

Trickbot Named Pipe [splunk]
Windows Anonymous Pipe Activity [splunk]
Windows App Layer Protocol Qakbot NamedPipe [splunk]
Windows App Layer Protocol Wermgr Connect To NamedPipe [splunk]
Windows PUA Named Pipe [splunk]
Windows RMM Named Pipe [splunk]
Windows Suspicious C2 Named Pipe [splunk]
Windows Suspicious Named Pipe [splunk]

Share event IDs (chain-detection candidates)

Rules that observe the same Windows event-ID pairs as this one. If you're authoring a multi-stage / sequence rule that spans these events, these are the existing detections that already cover one or both endpoints.

Trickbot Named Pipe [splunk]
Windows Anonymous Pipe Activity [splunk]
Windows App Layer Protocol Qakbot NamedPipe [splunk]
Windows App Layer Protocol Wermgr Connect To NamedPipe [splunk]
Windows PUA Named Pipe [splunk]
Windows RMM Named Pipe [splunk]
Windows Suspicious C2 Named Pipe [splunk]
Windows Suspicious Named Pipe [splunk]