This section of the command decodes the encoded (base64) ‘agent.crt’ intermediary file with the copied version of certutil (cert.exe) to create the initial payload ‘agent.exe’ in the ‘C:\kworking\’ directory.ĥ. This technique is likely used to further obfuscate the use of the certutil executable.Ĥ.
When referenced this variable generates a random number between 0 – 32767 and appending data to an executable in this fashion is a simple way of modifying a file’s hash. Following this the cmd environmental variable %RANDOM% is appended to the end of the renamed and moved certutil executable. This technique is likely to avoid simple SIEM detection or AV/EDR products that use the execution path or name to apply detection logic to identify anomalous usage of certutil.
Kaseya agent notifications code#
This section of the code copies the ‘certutil.exe’ executable to the path ‘C:\Windows\’ and renames it to cert.exe.
Kaseya agent notifications windows#
This section of the command uses the PowerShell cmdlet Set-MpPreference to turn off windows defender real time monitoring, intrusion prevention, scanning of connected devices,files, attachments, network protection and reporting to Windows Defender.ģ. Based on the current number of observed intrusions, FortiGuard MDR team cannot assess whether the –n count is consistent across intrusions or could be used as a low fidelity indicator.Ģ. The usage of ping command inline with the proceeding commands is likely to induce a delay between the execution of this initial command and execution of the rest of the commands. The cmd shell spawning from the AgentMon.exe process is again suspected to be part of the reported supply chain attack. crt file to the target endpoint, a set of commands are executed through a cmd shell spawned from the AgentMon.exe process to extract and run the dropper stored in the. FortiGuard Managed Detection and Response (MDR) team has not yet determined the mechanism used to place this intermediary file on the compromised host.įollowing upload of the. This is a relatively fixed IOC as Kaseya explicitly recommends to customers whitelist this folder to SIEM and AV alerts to prevent false positives. The actor uses what is believed to be the suspected supply chain attack to place the intermediary file ‘agent.crt’ in the ‘C:\kworking’ directory (hash: 589C8E3CF270FB6AEE9BAD137A20C733F77A3AE190E8DDE29680878FFA07B824). Analysis of the ransomware payload identified significant similarities to ransomware payloads previously employed by the REvil group. In all currently observed intrusions this access was used to deploy ransomware by sideloading a ransomware payload into a copy of Microsoft Defender. The purpose of this KB article is to outline observed TTPs and IOCs associated with REvil’s use of this attack and to highlight how FortiEDR can be used to effectively detect and mitigate post-exploitation activity associated with this threat.Īt a high level the Kaseya supply chain attack appears to grant the adversary file write access and access to a remote shell with local system privileges.
Kaseya VSA is a commercial tool used for remote management and administration of a network. CISA released guidance earlier this weekend which identifies a suspected supply chain attack on the Kaseya VSA application.