Attack Chain

1. An attacker gains initial access to a target Windows system through various means (e.g., phishing, exploiting a vulnerability, or compromised credentials).
2. The attacker installs the Level RMM agent on the compromised system, potentially using administrative privileges.
3. The Level RMM agent installation process creates the scheduled task named ‘\Level\Level Watchdog’.
4. The ‘Level Watchdog’ task is configured to run periodically, ensuring the Level RMM agent remains active.
5. The attacker uses the Level RMM agent to execute commands remotely on the compromised system.
6. The attacker uses the RMM tool to maintain persistence and control over the compromised system.
7. The attacker leverages the established RMM connection to perform lateral movement within the network.
8. The ultimate objective could include data exfiltration, ransomware deployment, or further compromise of critical systems.

Impact

Successful exploitation and misuse of RMM tools can lead to significant compromise, potentially affecting numerous systems within an organization. Attackers leveraging Level RMM could gain persistent access, enabling them to steal sensitive data, disrupt operations, deploy ransomware, or use compromised systems as a staging ground for further attacks. The scope of the impact depends on the attacker’s objectives and the level of access gained through the RMM tool.

Recommendation

• Deploy the provided Sigma rule to your SIEM to detect the creation of the “Level Watchdog” task (EventID 4698, TaskName “\Level\Level Watchdog”).
• Investigate any systems where the “Level Watchdog” task is detected to determine if the RMM software is authorized and legitimate, as noted in the known false positives.
• Monitor process execution and network connections originating from processes associated with Level RMM for suspicious activity.
• Review and enforce policies regarding the use of RMM tools within the organization to prevent unauthorized installations.