Level.io — CraftedSignal Threat Feed

Detection of Level RMM Watchdog Task Creation

hello@craftedsignal.io — Tue, 02 Jan 2024 12:00:00 +0000

This brief focuses on the detection of the ‘Level Watchdog’ scheduled task, a component of the Level remote management (RMM) tool. Level is a legitimate commercial tool that allows IT professionals and system administrators to remotely manage computer systems. However, threat actors may abuse RMM tools like Level to maintain persistence and execute malicious commands on compromised hosts. The creation of this specific task serves as an indicator of the presence of Level RMM on a system, which warrants further investigation due to the potential for misuse. This activity is detected via Windows Event Log ID 4698, specifically targeting task creation events for the ‘\Level\Level Watchdog’ task. This detection aims to provide security teams with visibility into the potential misuse of RMM tools within their environment.

Attack Chain

An attacker gains initial access to a target Windows system through various means (e.g., phishing, exploiting a vulnerability, or compromised credentials).
The attacker installs the Level RMM agent on the compromised system, potentially using administrative privileges.
The Level RMM agent installation process creates the scheduled task named ‘\Level\Level Watchdog’.
The ‘Level Watchdog’ task is configured to run periodically, ensuring the Level RMM agent remains active.
The attacker uses the Level RMM agent to execute commands remotely on the compromised system.
The attacker uses the RMM tool to maintain persistence and control over the compromised system.
The attacker leverages the established RMM connection to perform lateral movement within the network.
The ultimate objective could include data exfiltration, ransomware deployment, or further compromise of critical systems.

Impact

Successful exploitation and misuse of RMM tools can lead to significant compromise, potentially affecting numerous systems within an organization. Attackers leveraging Level RMM could gain persistent access, enabling them to steal sensitive data, disrupt operations, deploy ransomware, or use compromised systems as a staging ground for further attacks. The scope of the impact depends on the attacker’s objectives and the level of access gained through the RMM tool.

Recommendation

Deploy the provided Sigma rule to your SIEM to detect the creation of the “Level Watchdog” task (EventID 4698, TaskName “\Level\Level Watchdog”).
Investigate any systems where the “Level Watchdog” task is detected to determine if the RMM software is authorized and legitimate, as noted in the known false positives.
Monitor process execution and network connections originating from processes associated with Level RMM for suspicious activity.
Review and enforce policies regarding the use of RMM tools within the organization to prevent unauthorized installations.

Detection of Level RMM PowerShell Script Installer

hello@craftedsignal.io — Tue, 02 Jan 2024 12:00:00 +0000

Level is a commercial remote management tool (RMM) developed by Level.io. While legitimate IT professionals use such tools for remote access and system administration, threat actors can abuse them for malicious activities. This involves maintaining persistence and executing commands on compromised hosts. The detection focuses on identifying the PowerShell installer for the Level RMM tool. This activity can be an indicator of potential misuse, especially if the installation is unauthorized or occurs on systems not typically managed by IT staff. Defenders need to be aware of the legitimate use of Level in their environment to avoid false positives. The CISA advisory AA23-320A highlights the risks associated with RMM software being abused.

Attack Chain

An attacker gains initial access to a target system (details of initial access are not covered in the source).
The attacker downloads the Level RMM PowerShell installer script, install_windows.ps1, from https://downloads.level.io/install_windows.ps1.
The attacker executes the PowerShell script, potentially using powershell.exe.
The PowerShell script leverages the $env:LEVEL_API_KEY environment variable for authentication or configuration.
The Level RMM agent is installed on the system.
The agent establishes a connection to the Level.io infrastructure, granting the attacker remote access.
The attacker uses the Level RMM agent for persistence, maintaining access even after reboots.
The attacker can then execute arbitrary commands, deploy additional malware, or exfiltrate data.

Impact

Successful exploitation allows attackers to maintain persistent remote access to the compromised system. This can lead to data theft, deployment of ransomware, disruption of services, or further lateral movement within the network. While the number of victims and sectors targeted are not specified in the source, the potential impact can be significant, especially if critical systems are compromised. The use of legitimate RMM tools by attackers can make detection challenging, as the activity may blend in with normal administrative tasks.

Recommendation

Deploy the Sigma rule Detect Level RMM PowerShell Installer Download to identify instances where the install_windows.ps1 script is downloaded (see the rule below).
Deploy the Sigma rule Detect Level RMM PowerShell Script Execution to detect the execution of the Level RMM PowerShell installer script using the $env:LEVEL_API_KEY (see the rule below).
Monitor PowerShell script block logging (EventID 4104) for suspicious activity involving RMM tools.
Review and filter alerts generated by these detections for authorized use within managed environments, as indicated in the known_false_positives section.
Consult the CISA advisory AA23-320A for general guidance on securing against RMM software abuse.