Revising Kaseya's Attack by Red Canary
Technology
Revising Kaseya's Attack by Red Canary
Industry: Technology | Level: Tactical | Source: RedCanary
Red Canary’s latest blog revisits an incident response engagement the security team responded to on July 2nd, 2021, associated with the Kaseya supply chain attack. The trigger event involved the "Kaseya Virtual System Administrator (VSA) agent agentmon.exe" running a command-line process with a variety of suspicious actions. The command issued, ran a ping request, modified Windows Defender, copied files and executed certutil to decode files. Within an hour registry modifications were made with paths observed to have been used by REvil, "Software\blacklivesmatter" and "software\wow6432node\blacklivesmatter."
- Anvilogic Scenario: Kaseya Initial Attack Path
- Anvilogic Use Cases:
- Suspicious Executable by CMD.exe
- Modify Windows Defender
- Windows Copy Files
- Certutil Execution
- Certutil De-Obfuscate/Decode Files
- Modify Registry Key