Create proc_creation_win_tacticalrmm_install_via_cli.yml

[egycondor]

Summary of the Pull Request

This pull request introduces a new Sigma rule titled "TacticalRMM Agent Installation via Command Line", which detects the silent deployment of TacticalRMM using specific command-line flags such as --api, --auth, --client-id
This pattern is often seen in post-exploitation tool deployments and stealth persistence scenarios. The rule also validates the binary path \TacticalAgent\tacticalrmm.exe to improve detection confidence.

Changelog

new: TacticalRMM Agent Installation via Command Line

Example Log Event

{
  "EventID": 1,
  "UtcTime": "2025-05-29T11:23:15.112Z",
  "Image": "C:\\Program Files\\TacticalAgent\\tacticalrmm.exe",
  "CommandLine": "\"C:\\Program Files\\TacticalAgent\\tacticalrmm.exe\" -m install --api https://api.example.com --client-id 1 --site-id 1 --agent-type workstation --auth d5177b5bbdc[REDACTED]be62a0e83 -rdp -ping",
  "OriginalFileName": "tacticalrmm.exe",
  "ParentImage": "C:\\Users\\user\\Desktop\\trmm-client1-site1-workstation-amd64.exe",
  "ParentCommandLine": "\"C:\\Users\\user\\Desktop\\trmm-client1-site1-workstation-amd64.exe\"",
  "User": "WIN10-TH-VM\\user",
  "Company": "AmidaWare Inc",
  "Product": "Tactical RMM Agent",
  "FileVersion": "v2.9.1.0",
  "Hashes": "SHA256=EE33AAA05BE135969D86452A49A8E50A5313EFDFC46AE2E7FC8A9AF33556046C"
}

[swachchhanda000]

Based on my research, I found that this method is not used for soleley silent installation. For Silent installs, there is a complete diif approach which use complete other flag, for example:

tacticalagent-v2.9.1-windows-amd64.exe /VERYSILENT /SUPPRESSMSGBOXES

These -api, --auth, and related flags configure the agent to connect to a specific RMM server with authentication, client ID, and site ID. This could be an attempt by a threat actor to connect the agent to an attacker-controlled server.

Relevant resource: https://www.virustotal.com/gui/file/760855ddeef6b05ef377067d8e4dd05351b8a051e4cd0d85bb016f4ecd1289fd/behavior.

I think we can modify the rule to give clear description on watch it's supposed to detect and maybe add another rule for silent installation.

Let me know if my findings are incorrect or I misunderstood you.

[egycondor]

Thank you for the insightful feedback, @swachchhanda000.

Upon reviewing the official TacticalRMM documentation, it's evident that the agent installation process supports command-line parameters for automated deployments. Specifically, the documentation outlines methods for scripting agent installations, which utilize command-line flags such as --api, --auth, and --client-id. These methods are designed for automated deployments without user interaction, fitting the definition of silent installations.

Reference: TacticalRMM Agent Installation Guide

Given this, the use of these command-line flags aligns with silent installation practices, especially in automated or large-scale deployment scenarios. Therefore, the proposed Sigma rule targeting these patterns is justified for detecting such installations.