(originally posted on github) The most difficult challenge with RMM detection is contextual awareness around usage to determine if it is valid or malicious. if the software is not used in the environment could it be legitimate by a random employee? is it an attacker BYOL even so, all occurrences could probably be considered suspicious if it is used in the environment is every use of it legitimate? Probably not this also creates significant living off the land (LOL) opportunity some occurrence...
