FWIW, I have had Huntress catch known, rogue ScreenConnect instances.

Yes please, RMM's are used by threat actors all the time. We also encounter scenarios where we have to weed through all the RMMs left behind by the old MSPs who often don't remove them cleanly when handing over a client!

Agreed - and similar situation here. Threat actor deployed MeshAgent to maintain remote access.

Ideally, we would like to see EDR reporting/ alerting on remote access/RMM tools in the same way ITDR reports on VPN usage:

- Incident is created for any remote access mechanisms/RMM tools installed

- Ability to whitelist specific tool or instance (e.g. Screenconnect) per machine or per client or per organization

- Do not necessarily need to isolate the machines if an unapproved remote access solution is found, but this could be a configurable option

Great idea. This also needs to support multiple RMMs/tools per organization - for instance, macOS devices may use a different platform than Windows devices within the same organization.

I really like this idea, but I believe it needs the ability to be differentiated by organization where applicable.

Bumping this post the Connectwise issue I think this is a great Idea

This same idea should be established for remote access software. Right now it is my understanding that Huntress does not flag things like ScreenConnect or well know legitimate remote screen sharing solutions. These too should be flagged and the MSP should be able to choose if they want to allow or remove them.

Great idea!

Wrong link, but its still the same point.

Setup a free trail of any RMM software, NABLE, Kaseya, Datto whoever using a fake CC. Deployed that as your Foothold then smash the network.

All AV Vendors trust All RMMS that are known pretty well

.. Huntress could be even further ahead of the pack ..with this change on top of normal AV vendors protecting their client base.