Create Known Good RMM Profiles
Matthiew Morin (Huntress)
Merged in a post:
Mark Unused RMMs for Investigation
S
Samuel Yousey
In a recent incident, threat actors deployed various RMMs, including PDQ, Atera, Splashtop, and Screenconnect. I noticed an increase in Screenconnect domains, which were likely malicious. It would be beneficial to have a feature that allows us to mark RMMs we don't use for investigation purposes. We only use N-Central and Screenconnect self-hosted, so marking others would help us focus on potential threats.
Matthiew Morin (Huntress)
Merged in a post:
Designate Known-Good RMM Instances
K
Kenny Keller
I would like to have the ability to designate known-good RMM instances within the Huntress portal. This feature would help in easily identifying legitimate cloud instances and prevent them from being falsely flagged as malicious. It would be beneficial for managing our cloud instances more effectively.
Matthiew Morin (Huntress)
Merged in a post:
Dedicated mechanism for detecting rogue remote access software
J
Jacob Adams
We are aware of process insights and its capabilities, along with possibly creating a scheduled SIEM query. However, we would like to know if the platform itself does or will have in the future a dedicated mechanism for detecting rogue remote access software. This would greatly enhance our ability to identify unauthorized access attempts and ensure the security of our systems.
J
Jonathan Belle
It’s a simple App Blocker feature or whitelist/blacklist option similar to what BlackPoint offers. Only allow the authorized RMMs and block all others. If this needs to be an additional tool, that’s fine—but the EDR should at least have an option that says “Block All Other RMMs.”
Another option would be to create an application baseline during initial onboarding that requires the customer to confirm the RMM tools detected on the endpoints. That way, the approved RMM is known from the start, and the detection process won’t be delayed when something outside the baseline appears
T
Tim Sword
Adding comments per partner correspondence:
"with any other rmm tool, its like having another administrator onboard. they can do anythign.
im concerned about the file transfer aspect of it. they had access for months. they couldve been uglier and uninstalled our rmm and huntress and we wouldve never known.
so i think a notification of another rmm would a minimum"
T
Tim Sword
Adding comments per partner correspondance:
"I've been saying for a while we need a way to allow list one domain for screen connect and preemptively ban all others. But there has never been a way to do that. "
U
Ugnius Radzevicius
This feature is critically important for maintaining security visibility.
Currently, users can download and execute Remote Monitoring and Management (RMM) and Remote Desktop Protocol (RDP) applications from the public internet with zero visibility, regardless of whether they run with standard or administrative privileges.
As a Security Operations Center (SOC) monitoring tool, implementing detection for these unauthorized applications is crucial. This feature must:
Alert on designated channels when an untrusted RDP or RMM application is launched or attempts a connection.
Be configurable to allow specific, trusted RDP/RMM tools (similar to how trusted locations and VPN providers are handled).
Extend detection to include common reverse shell tools and frameworks, such as Netcat and the Metasploit Framework, when they initiate outbound connections or set up listeners.
Visibility into and control over the usage of remote access tools represents a vital monitoring aspect and is a fundamental requirement for effective security posture management.
Matthiew Morin (Huntress)
Merged in a post:
Provide functionality for customers to list expected RMMs in their environment.
M
Mark OHalloran
I believe having a feature that can help an analyst quickly determine if a RMM is expected is if customers are able to provide a RMM whitelist. I was thinking that this functionality would be similar to the "expected VPNS/countries" in ITDR.
This would help the SOC scope on potential compromises by rapidly being able to identify known good RMM usage and can provide a threat hunting opportunity by hunting for RMMs not on the allow list.
M
Matt Wilson
+1 here. We use NinjaOne RMM + SentinelOne Complete & have ScreenConnect. Attacker used Atera Agent + outdated ScreenConnect calling home to a Netherlands IP. Went undetected for far too long, unfortunately, so no EDR nor WinEvent data to review leading up to and following the breach. :-/
Matthiew Morin (Huntress)
Merged in a post:
Known Good RMM Instances
R
Ryan Sipes
It would be helpful to be able to add known RMMs in an organization so that the Huntress team has more insight into anomalous RMM installs in co-managed environments. For example, we have a software team that installs CWC/SC across some of our client environments. Being able to add those instances to a whitelist would allow Huntress to know that those CWC/other RMM installs are allowed but any other instances should potentially be investigated/looked at more closely
Load More
→