Revising Kaseya's Attack by Red Canary

Red Canary’s latest blog revisits an incident response engagement the security team responded to on July 2nd, 2021, associated with the Kaseya supply chain attack. The trigger event involved the "Kaseya Virtual System Administrator (VSA) agent agentmon.exe" running a command-line process with a variety of suspicious actions. The command issued, ran a ping request, modified Windows Defender, copied files and executed certutil to decode files. Within an hour registry modifications were made with paths observed to have been used by REvil, "Software\blacklivesmatter" and "software\wow6432node\blacklivesmatter."

‍