An adversary may be using BarracudaRMM to create persistence or establish a command and control channel by leveraging its remote management capabilities. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect potential long-term persistence and covert communication channels used by attackers.
KQL Query
let Time_start = now(-5d);
let Time_end = now();
//
DeviceProcessEvents
| where Timestamp between (Time_start..Time_end)
| where ProcessVersionInfoCompanyName has_any (
'Barracuda MSP',
'LPI Level Platforms'
)
| summarize FirstSeen=min(Timestamp), LastSeen=max(Timestamp),
Report=make_set(ReportId), Count=count() by DeviceId, DeviceName
id: 1d86c50f-6a57-447a-b340-583e8099c7b3
name: Remote Management and Monitoring tool - BarracudaRMM - Create Process
description: |
Remote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels.
https://github.com/jischell-msft/RemoteManagementMonitoringTools
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceProcessEvents
tactics: CommandAndControl
relevantTechniques: T1219
query: |
let Time_start = now(-5d);
let Time_end = now();
//
DeviceProcessEvents
| where Timestamp between (Time_start..Time_end)
| where ProcessVersionInfoCompanyName has_any (
'Barracuda MSP',
'LPI Level Platforms'
)
| summarize FirstSeen=min(Timestamp), LastSeen=max(Timestamp),
Report=make_set(ReportId), Count=count() by DeviceId, DeviceName
| Sentinel Table | Notes |
|---|---|
DeviceProcessEvents | Ensure this data connector is enabled |
Scenario: A system administrator is using Barracuda RMM to deploy a scheduled job that creates a process for endpoint protection software (e.g., Microsoft Defender).
Filter/Exclusion: Check for known legitimate processes associated with endpoint protection, or filter by process name (e.g., mpsvc.exe, MsMpEng.exe).
Scenario: A user is running a remote PowerShell script via Barracuda RMM to perform a system update or patching task.
Filter/Exclusion: Filter by process name (powershell.exe) and check for known update-related command-line arguments or script paths.
Scenario: An IT team is using Barracuda RMM to deploy a custom monitoring tool for internal network health checks.
Filter/Exclusion: Exclude processes that match the known monitoring tool’s executable name (e.g., networkMonitor.exe) or check for specific command-line parameters indicating legitimate monitoring activity.
Scenario: A scheduled task via Barracuda RMM is used to collect system logs for compliance or auditing purposes.
Filter/Exclusion: Filter by process name (logcollector.exe) or check for specific log collection directories and file patterns.
Scenario: An admin is using Barracuda RMM to remotely execute a script that configures firewall rules or updates group policies.
Filter/Exclusion: Exclude processes that match known configuration management tools (e.g., gpupdate.exe, netsh.exe) or check for specific command-line switches associated with policy updates.