The most difficult challenge with RMM detection is contextual awareness around usage to determine if it is valid or malicious.
- if the software is not used in the envrionment
- could it be legitimate by a random empoyee?
- is it an attacker BYOL
- even so, all occurrences could probably be considered suspicious
- if it is used in the environment
- is every use of it legitimate? Probably not
- this also creates significant living off the land (LOL) opportunity