Techniques
Sample rules
Remote Access Tool - TacticalRMM Agent Registration to Potentially Attacker-Controlled Server
- source: sigma
- technicques:
- t1105
- t1219
Description
Detects TacticalRMM agent installations where the –api, –auth, and related flags are used on the command line. These parameters configure the agent to connect to a specific RMM server with authentication, client ID, and site ID. This technique could indicate a threat actor attempting to register the agent with an attacker-controlled RMM infrastructure silently.
Detection logic
condition: selection
selection:
CommandLine|contains|all:
- --api
- --auth
- --client-id
- --site-id
- --agent-type
Image|contains: \TacticalAgent\tacticalrmm.exe