The sample scripts are not supported under any N-able support program or service. The sample scripts are provided AS IS without warranty of any kind, and N-able expressly disclaims all implied warranties including, warranties of merchantability or of fitness for a particular purpose. In no event shall N-able or any other party be liable for damages arising out of the use of or inability to use the sample scripts.

Kaseya Endpoint Detection Tool - NC

Last Modified Date

7/6/2021 1:33 PM

Description

** Update Note : this was updated on July 6th following  an update to the script provided by Kaseya on July 5th at 5:30pm 

Following the attack on Kaseya VSA (July 2021), See Article Here, our partners have been asking for help to mitigate or detect the vulnerability.

 

N-central and RMM have the ability to detect whether the Kaseya agent is installed, and report on it. This can be used as a first line. Kaseya has also created 2 scripts, one to be run on the VSA itself and one to be run on the endpoints. We have taken the endpoint scripts and slightly modified it to make it work within N-central and RMM as monitoring items (See our other article for N-able RMM). This now allows everyone using our platforms to run the script from Kaseya and get alerted if it detects any potential issues.

 

We recommend that you review the link to the article from Kaseya, and come back to this page often as we will publish updates to the article or the AMP file as needed, based on what Kaseya and the experts recommends.

Type

Custom Service / Script Check

Category

Windows Third Party Apps

Target OS

Windows 8/8.1;Windows 10;Windows Server 2012 / 2012R2;Windows Server 2016;Windows Server 2019

Compatible with N-Central

Yes

N-Central minimum version

2021.1

Compatible with RMM

No

Syntax

To use it in N-central, upload the AMP file to N-central, then create a custom service.


Note that if the devices are not using Kaseya, the monitoring will return a pass state, since the vulnerability seems to be targeted around Kaseya agents.

Output

The policy will output 4 fields. an ''issues count'', a ''certs found'', a ''files found'' and an encryption status


On the Issues count output, threshold 0 = normal, -10000 to -1 is warning, and 1 to 100000 is failed. This will warn you if any file or cert is detected.
On the cert and file outputs, threshold on whether the output contains “PASS”. If it does not contain pass, have it go failed.
On the Encryption status check, threshold on whether the output contains “PASS”. If it does not contain pass, have it go failed.

Keywords

kaseya vsa advisory security cve revil ransomware

Related Content