Kaseya VSA Attack

Create a random staging directory. Ingress an encoded agent payload along with a vulnerable Windows Defender binary. Copy the on target certutil payload to the directory then decode the agent payload and side-load it by launch the vulnerable Windows Defender.

Execute this chain

Download Operator (1.7.0)
Learn about Operator

TTPs

Side-load Pneuma using Windows Defender
Decode files with Certutil
Stage agent configuration file
Ingress an encoded Pneuma DLL with the ServiceCrtMain function exported
Ingress vulnerable Windows Defender binary
Create a staging directory
Copy certutil with random bytes

Tags

kaseya vsa attack, wizard spider

User-Set Custom Variables

  • payload.name: mpsvc.dll