From a443697a0d8f9b7ed8f28d780ddf91380944e55d Mon Sep 17 00:00:00 2001
From: dfirtnt <12226521+dfirtnt@users.noreply.github.com>
Date: Tue, 29 Aug 2023 22:04:33 -0400
Subject: [PATCH] Add files via upload

Adding new targets for Action1 and Level RMM agents
---
 Action1.tkape | 17 +++++++++++++++++
 Level.tkape   | 16 ++++++++++++++++
 2 files changed, 33 insertions(+)
 create mode 100644 Action1.tkape
 create mode 100644 Level.tkape

diff --git a/Action1.tkape b/Action1.tkape
new file mode 100644
index 000000000..5f2814d95
--- /dev/null
+++ b/Action1.tkape
@@ -0,0 +1,17 @@
+Description: Action1 Application Logs
+Author: Andrew Skatoff @DFIR_TNT
+Version: 1.0
+Id: 9cdf145a-c67e-45cd-bdec-1bcfeb2d50b1
+RecreateDirectories: true
+Targets:
+    -
+        Name: Action1 Client Application logs
+        Category: ApplicationLogs
+        Path: C:\Windows\Action1\logs
+        FileMask: '*.log'
+        Comment: "Contains Application Log entries such as service start and incomming connections, and deployed scripts/jobs."
+
+
+# Documentation
+# https://dfirtnt.wordpress.com/2023/08/23/rmm-action1-client-side-evidence/
+# https://www.bleepingcomputer.com/news/security/hackers-start-abusing-action1-rmm-in-ransomware-attacks/
\ No newline at end of file
diff --git a/Level.tkape b/Level.tkape
new file mode 100644
index 000000000..a6ba3a75e
--- /dev/null
+++ b/Level.tkape
@@ -0,0 +1,16 @@
+Description: Level.io Application Logs
+Author: Andrew Skatoff @DFIR_TNT
+Version: 1.0
+Id: 5e2c322f-616c-42e4-9cd7-4546cf2412e6
+RecreateDirectories: true
+Targets:
+    -
+        Name: Action1 RMM Client Application logs
+        Category: ApplicationLogs
+        Path: C:\Program Files\Level
+        FileMask: '*.log'
+        Comment: "Contains Application Log entries such as service start and incomming connections."
+
+
+# Documentation
+# https://www.crowdstrike.com/blog/analysis-of-intrusion-campaign-targeting-telecom-and-bpo-companies/
\ No newline at end of file