{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/remote-management/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Splunk Enterprise","Splunk Enterprise Security","Splunk Cloud"],"_cs_severities":["medium"],"_cs_tags":["remote-management","powershell","rmm"],"_cs_type":"advisory","_cs_vendors":["Level.io","Splunk"],"content_html":"\u003cp\u003eLevel is a commercial remote management tool (RMM) developed by Level.io. While legitimate IT professionals use such tools for remote access and system administration, threat actors can abuse them for malicious activities. This involves maintaining persistence and executing commands on compromised hosts. The detection focuses on identifying the PowerShell installer for the Level RMM tool. This activity can be an indicator of potential misuse, especially if the installation is unauthorized or occurs on systems not typically managed by IT staff. Defenders need to be aware of the legitimate use of Level in their environment to avoid false positives. The CISA advisory AA23-320A highlights the risks associated with RMM software being abused.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a target system (details of initial access are not covered in the source).\u003c/li\u003e\n\u003cli\u003eThe attacker downloads the Level RMM PowerShell installer script, \u003ccode\u003einstall_windows.ps1\u003c/code\u003e, from \u003ccode\u003ehttps://downloads.level.io/install_windows.ps1\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker executes the PowerShell script, potentially using \u003ccode\u003epowershell.exe\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe PowerShell script leverages the \u003ccode\u003e$env:LEVEL_API_KEY\u003c/code\u003e environment variable for authentication or configuration.\u003c/li\u003e\n\u003cli\u003eThe Level RMM agent is installed on the system.\u003c/li\u003e\n\u003cli\u003eThe agent establishes a connection to the Level.io infrastructure, granting the attacker remote access.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the Level RMM agent for persistence, maintaining access even after reboots.\u003c/li\u003e\n\u003cli\u003eThe attacker can then execute arbitrary commands, deploy additional malware, or exfiltrate data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to maintain persistent remote access to the compromised system. This can lead to data theft, deployment of ransomware, disruption of services, or further lateral movement within the network. While the number of victims and sectors targeted are not specified in the source, the potential impact can be significant, especially if critical systems are compromised. The use of legitimate RMM tools by attackers can make detection challenging, as the activity may blend in with normal administrative tasks.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Level RMM PowerShell Installer Download\u003c/code\u003e to identify instances where the \u003ccode\u003einstall_windows.ps1\u003c/code\u003e script is downloaded (see the rule below).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Level RMM PowerShell Script Execution\u003c/code\u003e to detect the execution of the Level RMM PowerShell installer script using the \u003ccode\u003e$env:LEVEL_API_KEY\u003c/code\u003e (see the rule below).\u003c/li\u003e\n\u003cli\u003eMonitor PowerShell script block logging (EventID 4104) for suspicious activity involving RMM tools.\u003c/li\u003e\n\u003cli\u003eReview and filter alerts generated by these detections for authorized use within managed environments, as indicated in the \u003ccode\u003eknown_false_positives\u003c/code\u003e section.\u003c/li\u003e\n\u003cli\u003eConsult the CISA advisory AA23-320A for general guidance on securing against RMM software abuse.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"/briefs/2024-01-level-rmm-installer/","summary":"This brief details the detection of the Level remote management tool PowerShell installer on Windows endpoints, which can be exploited by threat actors for malicious purposes to maintain persistence and execute commands, although it's a legitimate IT tool.","title":"Detection of Level RMM PowerShell Script Installer","url":"https://feed.craftedsignal.io/briefs/2024-01-level-rmm-installer/"}],"language":"en","title":"CraftedSignal Threat Feed — Remote-Management","version":"https://jsonfeed.org/version/1.1"}