Detects TacticalRMM agent installations where the —api, —auth, and related flags are used on the command line. These parameters configure the agent to connect to a specific RMM server with authentic
title: Remote Access Tool - TacticalRMM Agent Registration to Potentially Attacker-Controlled Server
id: 2db93a3f-3249-4f73-9e68-0e77a0f8ae7e
status: experimental
description: |
Detects TacticalRMM agent installations where the --api, --auth, and related flags are used on the command line.
These parameters configure the agent to connect to a specific RMM server with authentication, client ID, and site ID.
This technique could indicate a threat actor attempting to register the agent with an attacker-controlled RMM infrastructure silently.
references:
- https://github.com/amidaware/tacticalrmm
- https://apophis133.medium.com/powershell-script-tactical-rmm-installation-45afb639eff3
author: Ahmed Nosir (@egycondor)
date: 2025-05-29
tags:
- attack.command-and-control
- attack.t1219
- attack.t1105
logsource:
category: process_creation
product: windows
detection:
selection:
Image|contains: '\TacticalAgent\tacticalrmm.exe'
CommandLine|contains|all:
- '--api'
- '--auth'
- '--client-id'
- '--site-id'
- '--agent-type'
condition: selection
falsepositives:
- Legitimate system administrator deploying TacticalRMM
level: medium
imProcessCreate
| where TargetProcessName contains "\\TacticalAgent\\tacticalrmm.exe" and (TargetProcessCommandLine contains "--api" and TargetProcessCommandLine contains "--auth" and TargetProcessCommandLine contains "--client-id" and TargetProcessCommandLine contains "--site-id" and TargetProcessCommandLine contains "--agent-type")| Sentinel Table | Notes |
|---|---|
imProcessCreate | Ensure this data connector is enabled |