Remote Management and Monitoring tool - BarracudaRMM - File Signature

Hunt Hypothesis

The detection identifies potential use of BarracudaRMM by adversaries to establish remote management and command-and-control capabilities through file signature analysis. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and mitigate persistent threats leveraging legitimate RMM tools.

KQL Query

let Time_start = now(-5d);
let Time_end = now();
//
DeviceFileCertificateInfo
| where Timestamp between (Time_start..Time_end)
| where Signer has 'Barracuda Networks'
| summarize FirstSeen=min(Timestamp), LastSeen=max(Timestamp), 
    Report=make_set(ReportId), Count=count() by DeviceId, DeviceName

Analytic Rule Definition

id: fa733ad1-1f05-4d58-9513-f74ef7cbec2f
name: Remote Management and Monitoring tool - BarracudaRMM - File Signature
description: |
    Remote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels.
    https://github.com/jischell-msft/RemoteManagementMonitoringTools
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
  dataTypes:
  - DeviceFileCertificateInfo
tactics: CommandAndControl
relevantTechniques: T1219
query: |
  let Time_start = now(-5d);
  let Time_end = now();
  //
  DeviceFileCertificateInfo
  | where Timestamp between (Time_start..Time_end)
  | where Signer has 'Barracuda Networks'
  | summarize FirstSeen=min(Timestamp), LastSeen=max(Timestamp), 
      Report=make_set(ReportId), Count=count() by DeviceId, DeviceName

MITRE ATT&CK Context

• Tactic: CommandAndControl
• Technique: T1219 — T1219

References

• [Source Query](https://github.com/Azure/Azure-Sentinel/blob/main/Hunting Queries/Microsoft 365 Defender/RemoteManagementMonitoring/rmm_BarracudaRMM_filesig.yaml)

False Positive Guidance

• Scenario: Scheduled System Maintenance via Barracuda RMM
  Description: A system administrator schedules a routine maintenance task using Barracuda RMM to update software or apply patches on multiple endpoints.
  Filter/Exclusion: process.name != "BarracudaRMM.exe" OR process.parent.name == "BarracudaRMM.exe" AND process.name == "msiexec.exe" AND event_id == 1170

• Scenario: Remote File Backup via Barracuda RMM
  Description: An IT admin uses Barracuda RMM to initiate a remote backup of critical files from endpoints to a secure server.
  Filter/Exclusion: process.name == "BarracudaRMM.exe" AND file.hash == "known_backup_tool_hash" OR file.path contains "backup"

• Scenario: Admin Task to Deploy Configuration via Barracuda RMM
  Description: An administrator uses Barracuda RMM to push configuration changes to endpoints, such as updating firewall rules or group policy settings.
  Filter/Exclusion: process.name == "BarracudaRMM.exe" AND file.path contains "config" OR event_id == 1170

• Scenario: Remote PowerShell Script Execution via Barracuda RMM
  Description: A script is executed remotely via Barracuda RMM to perform a system health check or log collection on endpoints.
  Filter/Exclusion: process.name == "BarracudaRMM.exe" AND process.parent.name == "BarracudaRMM.exe" AND file.path contains "health_check.ps1"

• Scenario: Log Collection via Barracuda RMM for Compliance
  Description: The IT department uses Barracuda RMM to collect system logs from endpoints for audit or compliance purposes.