This analytic rule detects the creation or modification of Windows registry entries linked to the Remote Manipulator System (RMS), a remote administration tool that can be misused for unauthorized access. By focusing on the registry path `SYSTEM\Remote Manipulator System` within the `Endpoint.Registry` data model, the rule identifies potential unauthorized changes that could signify malware activity, especially in the context of known campaigns such as Azorult. The detection is based on Sysmon events related to registry operations, specifically EventIDs 12 and 13, which capture registry value changes. Given that RMS can be used for legitimate purposes, its monitoring is crucial to prevent adversaries from exploiting it for remote control, data exfiltration, and further network attacks.