Remote Access Tool - TacticalRMM Agent Registration to Potentially Attacker-Controlled Server
Last updated on:
In this page
About the rule
Rule Type
Standard
Rule Description
Detects TacticalRMM agent installations where the --api, --auth, and related flags are used on the command line.
Severity
Trouble
Rule Requirement
Criteria
Action1:
actionname = "Process started" AND ( PROCESSNAME endswith "\tacticalrmm.exe" OR ORIGINALFILENAME = "tacticalrmm.exe" ) AND ( COMMANDLINE contains "--api" AND COMMANDLINE contains "--auth" AND COMMANDLINE contains "--client-id" AND COMMANDLINE contains "--site-id" AND COMMANDLINE contains "--agent-type" )
select Action1.HOSTNAME,Action1.MESSAGE,Action1.COMMANDLINE,Action1.FILE_NAME,Action1.PROCESSNAME,Action1.USERNAME,Action1.PARENTPROCESSNAME,Action1.DOMAIN,Action1.ORIGINALFILENAME,Action1.PARENTPROCESSID,Action1.PROCESSID,Action1.PRODUCT_NAME,Action1.SECURITYID
Detection
Execution Mode
realtime
Log Sources
Windows
Author
@Ahmed Nosir (@egycondor)


