{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/products/level-remote-management-tool/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Level remote management tool","Splunk Enterprise","Splunk Enterprise Security","Splunk Cloud"],"_cs_severities":["medium"],"_cs_tags":["rmm","remote-access","persistence"],"_cs_type":"advisory","_cs_vendors":["Level.io","Splunk"],"content_html":"\u003cp\u003eThis brief focuses on the detection of the \u0026lsquo;Level Watchdog\u0026rsquo; scheduled task, a component of the Level remote management (RMM) tool. Level is a legitimate commercial tool that allows IT professionals and system administrators to remotely manage computer systems. However, threat actors may abuse RMM tools like Level to maintain persistence and execute malicious commands on compromised hosts. The creation of this specific task serves as an indicator of the presence of Level RMM on a system, which warrants further investigation due to the potential for misuse. This activity is detected via Windows Event Log ID 4698, specifically targeting task creation events for the \u0026lsquo;\\Level\\Level Watchdog\u0026rsquo; task. This detection aims to provide security teams with visibility into the potential misuse of RMM tools within their environment.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a target Windows system through various means (e.g., phishing, exploiting a vulnerability, or compromised credentials).\u003c/li\u003e\n\u003cli\u003eThe attacker installs the Level RMM agent on the compromised system, potentially using administrative privileges.\u003c/li\u003e\n\u003cli\u003eThe Level RMM agent installation process creates the scheduled task named \u0026lsquo;\\Level\\Level Watchdog\u0026rsquo;.\u003c/li\u003e\n\u003cli\u003eThe \u0026lsquo;Level Watchdog\u0026rsquo; task is configured to run periodically, ensuring the Level RMM agent remains active.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the Level RMM agent to execute commands remotely on the compromised system.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the RMM tool to maintain persistence and control over the compromised system.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the established RMM connection to perform lateral movement within the network.\u003c/li\u003e\n\u003cli\u003eThe ultimate objective could include data exfiltration, ransomware deployment, or further compromise of critical systems.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation and misuse of RMM tools can lead to significant compromise, potentially affecting numerous systems within an organization. Attackers leveraging Level RMM could gain persistent access, enabling them to steal sensitive data, disrupt operations, deploy ransomware, or use compromised systems as a staging ground for further attacks. The scope of the impact depends on the attacker\u0026rsquo;s objectives and the level of access gained through the RMM tool.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided Sigma rule to your SIEM to detect the creation of the \u0026ldquo;Level Watchdog\u0026rdquo; task (EventID 4698, TaskName \u0026ldquo;\\Level\\Level Watchdog\u0026rdquo;).\u003c/li\u003e\n\u003cli\u003eInvestigate any systems where the \u0026ldquo;Level Watchdog\u0026rdquo; task is detected to determine if the RMM software is authorized and legitimate, as noted in the known false positives.\u003c/li\u003e\n\u003cli\u003eMonitor process execution and network connections originating from processes associated with Level RMM for suspicious activity.\u003c/li\u003e\n\u003cli\u003eReview and enforce policies regarding the use of RMM tools within the organization to prevent unauthorized installations.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"/briefs/2024-01-level-watchdog-task/","summary":"The creation of the 'Level Watchdog' task, indicative of the Level remote management tool installation, is detected, highlighting the potential abuse of legitimate RMM tools for persistence and execution by threat actors on Windows systems.","title":"Detection of Level RMM Watchdog Task Creation","url":"https://feed.craftedsignal.io/briefs/2024-01-level-watchdog-task/"}],"language":"en","title":"CraftedSignal Threat Feed — Level Remote Management Tool","version":"https://jsonfeed.org/version/1.1"}