Detection of Level RMM PowerShell Script Installer

Level is a commercial remote management tool (RMM) developed by Level.io. While legitimate IT professionals use such tools for remote access and system administration, threat actors can abuse them for malicious activities. This involves maintaining persistence and executing commands on compromised hosts. The detection focuses on identifying the PowerShell installer for the Level RMM tool. This activity can be an indicator of potential misuse, especially if the installation is unauthorized or occurs on systems not typically managed by IT staff. Defenders need to be aware of the legitimate use of Level in their environment to avoid false positives. The CISA advisory AA23-320A highlights the risks associated with RMM software being abused.

Attack Chain

1. An attacker gains initial access to a target system (details of initial access are not covered in the source).
2. The attacker downloads the Level RMM PowerShell installer script, install_windows.ps1, from https://downloads.level.io/install_windows.ps1.
3. The attacker executes the PowerShell script, potentially using powershell.exe.
4. The PowerShell script leverages the $env:LEVEL_API_KEY environment variable for authentication or configuration.
5. The Level RMM agent is installed on the system.
6. The agent establishes a connection to the Level.io infrastructure, granting the attacker remote access.
7. The attacker uses the Level RMM agent for persistence, maintaining access even after reboots.
8. The attacker can then execute arbitrary commands, deploy additional malware, or exfiltrate data.

Impact

Successful exploitation allows attackers to maintain persistent remote access to the compromised system. This can lead to data theft, deployment of ransomware, disruption of services, or further lateral movement within the network. While the number of victims and sectors targeted are not specified in the source, the potential impact can be significant, especially if critical systems are compromised. The use of legitimate RMM tools by attackers can make detection challenging, as the activity may blend in with normal administrative tasks.

Recommendation

• Deploy the Sigma rule Detect Level RMM PowerShell Installer Download to identify instances where the install_windows.ps1 script is downloaded (see the rule below).
• Deploy the Sigma rule Detect Level RMM PowerShell Script Execution to detect the execution of the Level RMM PowerShell installer script using the $env:LEVEL_API_KEY (see the rule below).
• Monitor PowerShell script block logging (EventID 4104) for suspicious activity involving RMM tools.
• Review and filter alerts generated by these detections for authorized use within managed environments, as indicated in the known_false_positives section.
• Consult the CISA advisory AA23-320A for general guidance on securing against RMM software abuse.