LoFP / legitimate it and system administrators may use the level powershell installer for remote management and maintenance. filter alerts for authorized use within managed environments.

Techniques

• T1219

Sample rules

Windows Level RMM PowerShell Script Installer

• source: splunk
• technicques:
  • T1219

Description

Detects the PowerShell installer for the Level tool. Level is a commercial remote management tool from Level.io. Remote management tools, when used for legitimate purposes, can help IT professionals and system administrators remotely access and manage computer systems. However, threat actors may exploit these tools for malicious purposes. It can be used to maintain persistence and execution on a host by a malicious actor.

Detection logic

`powershell`
EventID="4104"
ScriptBlockText IN (
    "*$env:LEVEL_API_KEY *",
    "*https://downloads.level.io/install_windows.ps1*"
)

| fillnull

| stats count min(_time) as firstTime
              max(_time) as lastTime
  by Computer EventID ScriptBlockText signature signature_id user_id vendor_product Guid
     Opcode Name Path ProcessID ScriptBlockId


| rename Computer as dest

| `security_content_ctime(firstTime)`

| `security_content_ctime(lastTime)`

| `windows_level_rmm_powershell_script_installer_filter`