Query Details
Kaseya R Evil
Query
//KQL query for the Kaseya REvil detection. Can be used as an Analytics Rule or Hunting query. SecurityEvent | where EventID == 4688 | where ((CommandLine has @'C:\\Windows\\cert.exe' or CommandLine contains 'Set-MpPreference -DisableRealtimeMonitoring $true -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled' or CommandLine has @'del /q /f c:\\kworking\\agent.crt' or CommandLine has 'Kaseya VSA Agent Hot-fix' or CommandLine has @'\\AppData\\Local\\Temp\\MsMpEng.exe') and (FilePath == @'C:\\Windows\\MsMpEng.exe' or FilePath == @'C:\\Windows\\cert.exe' or FilePath == @'C:\\kworking\\agent.exe'))
Explanation
This query is used to detect the presence of the REvil ransomware in the Kaseya VSA Agent. It looks for specific command line arguments and file paths associated with the ransomware.
Details
Rod Trent
Released: July 12, 2021
Tables
SecurityEvent
Keywords
Devices,Intune,User
Operators
where==hascontainsorand@del/q/fFilePath