Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionmediumexperimental

Remote Access Tool - TacticalRMM Agent Registration to Potentially Attacker-Controlled Server

Detects TacticalRMM agent installations where the --api, --auth, and related flags are used on the command line. These parameters configure the agent to connect to a specific RMM server with authentication, client ID, and site ID. This technique could indicate a threat actor attempting to register the agent with an attacker-controlled RMM infrastructure silently.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
Ahmed NosirCreated Thu May 292db93a3f-3249-4f73-9e68-0e77a0f8ae7ewindows
Log Source
WindowsProcess Creation
ProductWindows← raw: windows
CategoryProcess Creation← raw: process_creation

Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.

Detection Logic
Detection Logic1 selector
detection:
    selection:
        Image|contains: '\TacticalAgent\tacticalrmm.exe'
        CommandLine|contains|all:
            - '--api'
            - '--auth'
            - '--client-id'
            - '--site-id'
            - '--agent-type'
    condition: selection
False Positives

Legitimate system administrator deploying TacticalRMM

References
1
Resolving title…
github.com
2
Resolving title…
apophis133.medium.com
MITRE ATT&CK
Rule Metadata
Rule ID
2db93a3f-3249-4f73-9e68-0e77a0f8ae7e
Status
experimental
Level
medium
Type
Detection
Created
Thu May 29
Author
Ahmed Nosir
Path
rules/windows/process_creation/proc_creation_win_remote_access_tools_tacticalrmm_agent_registration_via_cli.yml
Raw Tags
attack.command-and-controlattack.t1219attack.t1105
View on GitHub