Action1 RMM
Remote Management and Monitoring application.
Executables
Platform | File paths |
---|---|
Windows | C:\Windows\Action1\action1_agent.exe |
Windows | C:\Windows\Action1\action1_remote.exe |
Application logs
Filename | Notes | Timestamp format | Log Timezone |
---|---|---|---|
C:\Windows\Action1\Action1_log_[date-time].log | history, errors, system notifications. Incoming and outgoing connections. | YYMMDD HH:MM:SS | UTC |
Search term | Description |
---|---|
[REMOTE_SESSION_CONNECT] | Remote session established |
[Session::Disconnect] | Remote session closed (also may include "closing relay socket") |
Loaded instance Deploy App: | Action1 used to deploy/install additional software |
Session details: LogonTime | YYYY/MM/DD HH:MM:SS in UTC showing the logon time and UserName |
Analyst notes
- action1_remote.exe is evidence of remote control
- action1_agent.exe is the basic service binary
- C:\Windows\Action1\package_downloads is the staging location for file transfer