Create RMM Profiles | Voters

Create RMM Profiles

Alex Payne

Partners could establish what RMM they use and if another RMM appears on a machine under their management, an alert/isolation could take place. This could prevent an attacker from leveraging what's typically viewed as trusted RMM software as a persistence mechanism other than an autorun.

September 1, 2021

Joel DeTeves

Yes please, RMM's are used by threat actors all the time. We also encounter scenarios where we have to weed through all the RMMs left behind by the old MSPs who often don't remove them cleanly when handing over a client!

Canny AI

Merged in a post:

Specify Primary MSP RMM for Enhanced Threat Detection

Marcel Pawlowski

While working an incident in which a threat actor deployed RMM agents to live of the land, we came to the conclusion that it would probably be helpful to the SOC to have a note on the account of what the RMM solution of the MSP is.

For example, if the MSP uses Kaseya VSA as their primary RMM and Atera agents are deployed unexpectedly or start enumerating a domain remotely, it could be a indicator of compromise as the commands to not originate from the MSP's RMM.

February 3, 2025

Milena Khlabystova

Agreed - and similar situation here. Threat actor deployed MeshAgent to maintain remote access.
Ideally, we would like to see EDR reporting/ alerting on remote access/RMM tools in the same way ITDR reports on VPN usage:
-	Incident is created for any remote access mechanisms/RMM tools installed
-	Ability to whitelist specific tool or instance (e.g. Screenconnect) per machine or per client or per organization
-	Do not necessarily need to isolate the machines if an unapproved remote access solution is found, but this could be a configurable option

Alex Perrot

Great idea. This also needs to support multiple RMMs/tools per organization - for instance, macOS devices may use a different platform than Windows devices within the same organization.

Joel DeTeves

Alex Perrot same here, we use Addigy for our Apple customers!

Talbot Menear

I really like this idea, but I believe it needs the ability to be differentiated by organization where applicable.

Elliott Campbell

Bumping this post the Connectwise issue I think this is a great Idea

Dale Stratil

This same idea should be established for remote access software. Right now it is my understanding that Huntress does not flag things like ScreenConnect or well know legitimate remote screen sharing solutions. These too should be flagged and the MSP should be able to choose if they want to allow or remove them.

Andy Smith

Great idea!

Jackelyn'la McDermott'la

Wrong link, but its still the same point.
Setup a free trail of any RMM software, NABLE, Kaseya, Datto whoever using a fake CC. Deployed that as your Foothold then smash the network. 
All AV Vendors trust All RMMS that are known pretty well
.. Huntress could be even further ahead of the pack ..with this change on top of normal AV vendors protecting their client base.

Jackelyn'la McDermott'la

Alex Payne
https://www.reddit.com/r/msp/comments/ocggbv/crticial_ransomware_incident_in_progress/
The idea behind this request:
The MSP selects the software package "RMM" software template they use. Anything deployed on the systems with this software is classed as "trusted" 
any other RMM tooling, is class as "not trusted"
The idea being that if another rmms is deployed it should be treated as a take over or worse attackers using trusted RMM to get in to the network and setup footholds.
We trust this software so much how days and so does Huntress, but its by far the easiest way in? 
This is 0 trust model
Come see me for more great idea! -> maybe I should get 1 month free? :)

→