← Back to Explore
sigmamediumHunting
Remote Access Tool - TacticalRMM Agent Registration to Potentially Attacker-Controlled Server
Detects TacticalRMM agent installations where the --api, --auth, and related flags are used on the command line. These parameters configure the agent to connect to a specific RMM server with authentication, client ID, and site ID. This technique could indicate a threat actor attempting to register the agent with an attacker-controlled RMM infrastructure silently.
Detection Query
selection:
Image|contains: \TacticalAgent\tacticalrmm.exe
CommandLine|contains|all:
- --api
- --auth
- --client-id
- --site-id
- --agent-type
condition: selection
Author
Ahmed Nosir (@egycondor)
Created
2025-05-29
Data Sources
windowsProcess Creation Events
Platforms
windows
References
Tags
attack.command-and-controlattack.t1219attack.t1105
Raw Content
title: Remote Access Tool - TacticalRMM Agent Registration to Potentially Attacker-Controlled Server
id: 2db93a3f-3249-4f73-9e68-0e77a0f8ae7e
status: experimental
description: |
Detects TacticalRMM agent installations where the --api, --auth, and related flags are used on the command line.
These parameters configure the agent to connect to a specific RMM server with authentication, client ID, and site ID.
This technique could indicate a threat actor attempting to register the agent with an attacker-controlled RMM infrastructure silently.
references:
- https://github.com/amidaware/tacticalrmm
- https://apophis133.medium.com/powershell-script-tactical-rmm-installation-45afb639eff3
author: Ahmed Nosir (@egycondor)
date: 2025-05-29
tags:
- attack.command-and-control
- attack.t1219
- attack.t1105
logsource:
category: process_creation
product: windows
detection:
selection:
Image|contains: '\TacticalAgent\tacticalrmm.exe'
CommandLine|contains|all:
- '--api'
- '--auth'
- '--client-id'
- '--site-id'
- '--agent-type'
condition: selection
falsepositives:
- Legitimate system administrator deploying TacticalRMM
level: medium