Rmm

ConnectWise Automate is vulnerable to CVE-2026-6066, a cleartext transmission of sensitive information vulnerability, where certain client-to-server communications could occur without transport-layer encryption, potentially allowing network-based interception of Solution Center traffic, and the issue is resolved in Automate 2026.4 by enforcing secure communication.

Barracuda RMM versions prior to 2025.2.2 are vulnerable to local privilege escalation, allowing attackers to gain SYSTEM privileges by exploiting overly permissive filesystem ACLs on the C:\Windows\Automation directory.

Detection of DNS queries to known remote monitoring and management (RMM) domains originating from non-browser processes on Windows systems indicates potential abuse of legitimate software for command and control.

Detects the execution of previously unseen remote monitoring and management (RMM) tools or remote access software on compromised Windows endpoints, often leveraged for command-and-control, persistence, and execution of malicious commands.

Detects DNS queries to commonly abused remote monitoring and management (RMM) or remote access software domains from non-browser processes, potentially indicating unauthorized remote access or command and control activity.

Detects an MSI installer execution followed by the execution of commonly abused Remote Management Software like ScreenConnect, potentially indicating abuse where an attacker triggers an MSI install then connects via a guest link with a known session key.

This rule identifies Windows hosts where two or more distinct remote monitoring and management (RMM) or remote-access tool vendors are observed starting processes within the same eight-minute window, potentially indicating compromise, shadow IT, or attacker staging of redundant access.

This detection identifies a Windows host where two or more distinct remote monitoring and management (RMM) or remote-access tool vendors are observed starting processes within the same eight-minute window, potentially indicating compromise, shadow IT, or attacker staging of redundant access.