Kaseya IoC
Log In or Register to download the BES file, and more.

0 Votes

Description

Search for Indicators-of-Compromise for Kasye event 2021-07-02

PRE-ALPHA analysis.

Sources:

https://www.reddit.com/r/msp/comments/ocggbv/crticial_ransomware_incident_in_progress/

Kaseya Detection Tool at https://kaseya.app.box.com/s/p9b712dcwfsnhuq2jmx31ibsuef6xict

Property Details

ID2998641
StatusAlpha - Code that was just developed
TitleKaseya IoC
DomainBESC
KeywordsKaseya, IoC
Added by on 7/6/2021 1:39:29 PM
Last Modified by on 7/6/2021 1:39:29 PM
Counters 2355 Views / 15 Downloads
User Rating 1 star 2 star 3 star 4 star 5 star * Average over 0 ratings. ** Log In or Register to add your rating.

Properties

Kaseya Agent TempPaths
Period 6 hours
 
  * Results in a true/false
Show indented relevance
values "TempPath" of keys of keys "HKLM\Software\Kaseya\Agent" of registry
Kaseya vulnerable agent.crt file
Period 12 hours
 
  * Results in a true/false
Show indented relevance
(if size of it = 0 then "PASS: No files found" else elements of it) of set of (md5 of it & "|" & pathname of it) of descendants whose (name of it as lowercase = "agent.crt") of folders (values "TempPath" of keys of keys "HKLM\Software\Kaseya\Agent" of registry as string)
Kaseya vulnerable agent.exe file
Period 12 hours
 
  * Results in a true/false
Show indented relevance
(if size of it = 0 then "No files found" else if exists elements whose (preceding text of first "|" of it as lowercase != "10ec4c5b19b88a5e1b7bf1e3a9b43c12" as lowercase) of it then "FAIL: Suspicious files:" & concatenation ";" of elements whose (preceding text of first "|" of it as lowercase != "10ec4c5b19b88a5e1b7bf1e3a9b43c12" as lowercase) of it else "PASS: Huntress file found") of set of (md5 of it & "|" & pathname of it) of descendants whose (name of it as lowercase = "agent.exe") of folders (values "TempPath" of keys of keys "HKLM\Software\Kaseya\Agent" of registry as string)
Kaseya - Debug - all agent.exe files
Period 1 day
 
  * Results in a true/false
Show indented relevance
elements of set of (md5 of it & "|" & pathname of it) of descendants whose (name of it as lowercase = "agent.exe") of folders (values "TempPath" of keys of keys "HKLM\Software\Kaseya\Agent" of registry as string)
Kaseya - IoC - MsMpEng.exe present at C:\Windows
Period 1 hour
 
  * Results in a true/false
Show indented relevance
exists files "MsMpEng.exe" of (windows folders; folders "C:\Windows")
Kaseya - IoC - mpsvc.dll present at C:\Windows
Period 1 hour
 
  * Results in a true/false
Show indented relevance
exists files "mpsvc.dll" of (windows folders; folders "C:\Windows")
Kasyea - IoC - suspicious registry path found
Period 1 hour
 
  * Results in a true/false
Show indented relevance
exists keys "HKEY_LOCAL_MACHINE\SOFTWARE\BlackLivesMatter" of registry
Kaseya - IoC - known-malicious mpsvc.dll present at C:\Windows
Period 1 hour
 
  * Results in a true/false
Show indented relevance
exists files "mpsvc.dll" whose (md5 of it as lowercase = "a47cf00aedf769d60d58bfe00c0b5421") of (windows folders; folders "C:\Windows")

Relevance

Used in 20 fixlets and 16 analyses   * Results in a true/false
Show indented relevance
windows of operating system AND (if exists property "in proxy agent context" then not in proxy agent context else true)
Used in 1 analsis   * Results in a true/false
Show indented relevance
exists keys "HKLM\Software\Kaseya\Agent" of registry

Sharing

Social Media:
Share this page on Yammer


Comments

Log In or Register to leave comments!
 

Content

Search
Share
Learn
Projects

Utilities

View SCM Scripts
Base64 Converter
Shell to Action Script

About

About Us
Tour
FAQ
Terms
Contact Us

BigFix Resources

Download BigFix
Support
Forum
Github/Bigfix
bigfix.me All Content
Hosted on bigfixme-as