Remote Access Tool - Potential MeshAgent Execution - MacOS
Detects potential execution of MeshAgent which is a tool used for remote access. Historical data shows that threat actors rename MeshAgent binary to evade detection. Matching command lines with the '--meshServiceName' argument can indicate that the MeshAgent is being used for remote access.
Sigma rule (View on GitHub)
1title: Remote Access Tool - Potential MeshAgent Execution - MacOS
2id: 22c45af6-f590-4d44-bab3-b5b2d2a2b6d9
3related:
4 - id: 2fbbe9ff-0afc-470b-bdc0-592198339968
5 type: similar
6status: experimental
7description: |
8 Detects potential execution of MeshAgent which is a tool used for remote access.
9 Historical data shows that threat actors rename MeshAgent binary to evade detection.
10 Matching command lines with the '--meshServiceName' argument can indicate that the MeshAgent is being used for remote access.
11references:
12 - https://www.huntress.com/blog/know-thy-enemy-a-novel-november-case-on-persistent-remote-access
13 - https://thecyberexpress.com/ukraine-hit-by-meshagent-malware-campaign/
14 - https://wazuh.com/blog/how-to-detect-meshagent-with-wazuh/
15 - https://www.security.com/threat-intelligence/medusa-ransomware-attacks
16author: Norbert Jaśniewicz (AlphaSOC)
17date: 2025-05-19
18tags:
19 - attack.command-and-control
20 - attack.t1219.002
21logsource:
22 category: process_creation
23 product: macos
24detection:
25 selection:
26 CommandLine|contains: '--meshServiceName'
27 condition: selection
28falsepositives:
29 - Environments that legitimately use MeshAgent
30level: medium
References
Related rules
- Remote Access Tool - Potential MeshAgent Execution - Windows
- Remote Access Tool - Renamed MeshAgent Execution - MacOS
- Remote Access Tool - Renamed MeshAgent Execution - Windows
- Antivirus Exploitation Framework Detection
- Anydesk Temporary Artefact