Working with a couple customers and some of my colleagues who are working with their customers who are either impacted or curious if they might be impacted by the recent Kaseya REvil situation, the following KQL query was developed as a detection.
This should work in all environments, but after testing it you find a way to make it better, let me know through a DM on Twitter.
This is dependent on the SecurityEvent table, so regular rules apply, i.e., the Security Event Data Connector is required.
//KQL query for the Kaseya REvil detection. Can be used as an Analytics Rule or Hunting query.
SecurityEvent
| where EventID == 4688
| where ((CommandLine contains @'C:\\Windows\\cert.exe' or CommandLine contains 'Set-MpPreference -DisableRealtimeMonitoring $true -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled' or CommandLine contains @'del /q /f c:\\kworking\\agent.crt' or CommandLine contains 'Kaseya VSA Agent Hot-fix' or CommandLine contains @'\\AppData\\Local\\Temp\\MsMpEng.exe') and (FilePath == @'C:\\Windows\\MsMpEng.exe' or FilePath == @'C:\\Windows\\cert.exe' or FilePath == @'C:\\kworking\\agent.exe'))
The most current version of this query will always be located here: SentinelKQL/KaseyaREvil.txt at master · rod-trent/SentinelKQL (github.com)
MITRE information on REvil: REvil, Software S0496 | MITRE ATT&CK®
Use the MITRE information and the KQL query to create your own Analytic Rule.
=========================
[Want to discuss this further? Hit me up on Twitter or LinkedIn]
[Subscribe to the RSS feed for this blog]
[Subscribe to the Weekly Azure Sentinel Newsletter]