| ID | Technique | Tactic |
|---|---|---|
| T1053 | Scheduled Task/Job | Execution |
| T1219 | Remote Access Tools | Persistence |
Detection: Windows Level RMM Watchdog Task Created
Description
Detects the watchdog task created when Level is installed. Level is a commercial remote management tool from Level.io. Remote management tools, when used for legitimate purposes, can help IT professionals and system administrators remotely access and manage computer systems. However, threat actors may exploit these tools for malicious purposes. It can be used to maintain persistence and execution on a host by a malicious actor.
Search
1`wineventlog_security`
2EventID="4698"
3TaskName="\\Level\\Level Watchdog"
4
5| fillnull
6
7| stats count min(_time) as firstTime
8 max(_time) as lastTime
9 by EventID TaskName Computer
10
11
12| rename Computer as dest
13
14| `security_content_ctime(firstTime)`
15
16| `security_content_ctime(lastTime)`
17
18| `windows_level_rmm_watchdog_task_created_filter`
Data Source
| Name | Platform | Sourcetype | Source |
|---|---|---|---|
| Windows Event Log Security 4698 |  Windows |
'XmlWinEventLog' |
'XmlWinEventLog:Security' |
Macros Used
| Name | Value |
|---|---|
| security_content_ctime | convert timeformat="%Y-%m-%dT%H:%M:%S" ctime($field$) |
| windows_level_rmm_watchdog_task_created_filter | search * |
windows_level_rmm_watchdog_task_created_filter is an empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.
Annotations
MITRE ATT&CK
Kill Chain Phases
NIST
CIS
Threat Actors
Command and Control
Exploitation
Installation
DE.AE
CIS 10
Default Configuration
This detection is configured by default in Splunk Enterprise Security to run with the following settings:
| Setting | Value |
|---|---|
| Disabled | true |
| Cron Schedule | 0 * * * * |
| Earliest Time | -70m@m |
| Latest Time | -10m@m |
| Schedule Window | auto |
| Creates Risk Event | True |
This configuration file applies to all detections of type anomaly. These detections will use Risk Based Alerting.
Implementation
The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the Processes node of the Endpoint data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.
Known False Positives
Legitimate IT professionals and system administrators may use Level remote management tools for authorized access and maintenance. Filter alerts for approved remote management software to reduce false positives.
Associated Analytic Story
Risk Based Analytics (RBA)
Risk Message:
Level RRM Watchdog task [$TaskName$] created on $dest$.
| Risk Object | Risk Object Type | Risk Score | Threat Objects |
|---|---|---|---|
| dest | system | 20 | No Threat Objects |
References
Detection Testing
| Test Type | Status | Dataset | Source | Sourcetype |
|---|---|---|---|---|
| Validation | ✅ Passing | N/A | N/A | N/A |
| Unit | ✅ Passing | Dataset | XmlWinEventLog:Security |
XmlWinEventLog |
| Integration | ✅ Passing | Dataset | XmlWinEventLog:Security |
XmlWinEventLog |
Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI.
Alternatively you can replay a dataset into a Splunk Attack Range
Source: GitHub | Version: 1