legitimate it professionals and system administrators may use level remote management tools for authorized access and maintenance. filter alerts for approved remote management software to reduce false positives.

t1053
t1219
endpoint
splunk

Techniques

T1053
T1219

Sample rules

Windows Level RMM Watchdog Task Created

source: splunk
technicques:
- T1053
- T1219

Description

Detects the watchdog task created when Level is installed. Level is a commercial remote management tool from Level.io. Remote management tools, when used for legitimate purposes, can help IT professionals and system administrators remotely access and manage computer systems. However, threat actors may exploit these tools for malicious purposes. It can be used to maintain persistence and execution on a host by a malicious actor.

Detection logic

`wineventlog_security`
EventID="4698"
TaskName="\\Level\\Level Watchdog"

| fillnull

| stats count min(_time) as firstTime
              max(_time) as lastTime
  by EventID TaskName Computer


| rename Computer as dest

| `security_content_ctime(firstTime)`

| `security_content_ctime(lastTime)`

| `windows_level_rmm_watchdog_task_created_filter`