Kaseya VSA Attack

Create a random staging directory. Ingress an encoded agent payload along with a vulnerable Windows Defender binary. Copy the on target certutil payload to the directory then decode the agent payload and side-load it by launch the vulnerable Windows Defender.

Execute this chain

Download Operator (1.7.1)
Learn about Operator


Side-load Pneuma using Windows Defender
Decode files with Certutil
Stage agent configuration file
Ingress an encoded Pneuma DLL with the ServiceCrtMain function exported
Ingress vulnerable Windows Defender binary
Create a staging directory
Copy certutil with random bytes


kaseya vsa attack, wizard spider

User-Set Custom Variables

  • payload.name: mpsvc.dll