This detection rule identifies potential malicious usage of the TacticalRMM agent on Windows systems. The rule focuses specifically on the execution of the TacticalRMM agent executable, looking for command line arguments that configure the agent to connect to a Remote Monitoring and Management (RMM) server specified by the attacker. Key parameters to monitor include '--api', '--auth', '--client-id', and '--site-id'. Their presence in the command line might indicate that a threat actor is attempting to register the TacticalRMM agent with a server under their control. TacticalRMM is used for remote management and could be exploited by attackers for unauthorized access to devices. This detection targets suspected adversarial behavior during the process creation phase where the agent is executed, thereby enabling timely response to potential breaches.