This detection rule identifies potentially malicious activity associated with the RMX remote administration tool by monitoring the creation and connection of named pipes that are either default or publicly known. By leveraging Sysmon's Event IDs 17 (Pipe Create) and 18 (Pipe Connect), the rule captures events that could signify unauthorized remote access to a target system. The RMX tool is known to be exploited by malware, such as Azorult, for data extraction purposes, making this detection crucial for identifying threats that may lead to data exfiltration or system compromise. Immediate investigation is prompted upon detection to ascertain the legitimacy of the RMX tool's use in the environment.