Create RMM Profiles
J
Joe Miller
FWIW, I have had Huntress catch known, rogue ScreenConnect instances.
J
Joel DeTeves
Yes please, RMM's are used by threat actors all the time. We also encounter scenarios where we have to weed through all the RMMs left behind by the old MSPs who often don't remove them cleanly when handing over a client!
Canny AI
Merged in a post:
Specify Primary MSP RMM for Enhanced Threat Detection
Marcel Pawlowski
While working an incident in which a threat actor deployed RMM agents to live of the land, we came to the conclusion that it would probably be helpful to the SOC to have a note on the account of what the RMM solution of the MSP is.
For example, if the MSP uses Kaseya VSA as their primary RMM and Atera agents are deployed unexpectedly or start enumerating a domain remotely, it could be a indicator of compromise as the commands to not originate from the MSP's RMM.
M
Milena Khlabystova
Agreed - and similar situation here. Threat actor deployed MeshAgent to maintain remote access.
Ideally, we would like to see EDR reporting/ alerting on remote access/RMM tools in the same way ITDR reports on VPN usage:
- Incident is created for any remote access mechanisms/RMM tools installed
- Ability to whitelist specific tool or instance (e.g. Screenconnect) per machine or per client or per organization
- Do not necessarily need to isolate the machines if an unapproved remote access solution is found, but this could be a configurable option
A
Alex Perrot
Great idea. This also needs to support multiple RMMs/tools per organization - for instance, macOS devices may use a different platform than Windows devices within the same organization.
J
Joel DeTeves
Alex Perrot same here, we use Addigy for our Apple customers!
T
Talbot Menear
I really like this idea, but I believe it needs the ability to be differentiated by organization where applicable.
E
Elliott Campbell
Bumping this post the Connectwise issue I think this is a great Idea
D
Dale Stratil
This same idea should be established for remote access software. Right now it is my understanding that Huntress does not flag things like ScreenConnect or well know legitimate remote screen sharing solutions. These too should be flagged and the MSP should be able to choose if they want to allow or remove them.
A
Andy Smith
Great idea!
J
Jackelyn'la McDermott'la
Wrong link, but its still the same point.
Setup a free trail of any RMM software, NABLE, Kaseya, Datto whoever using a fake CC. Deployed that as your Foothold then smash the network.
All AV Vendors trust All RMMS that are known pretty well
.. Huntress could be even further ahead of the pack ..with this change on top of normal AV vendors protecting their client base.
Load More
→