Remote Access Tool - Potential MeshAgent Execution - MacOS

Detects potential execution of MeshAgent which is a tool used for remote access. Historical data shows that threat actors rename MeshAgent binary to evade detection. Matching command lines with the '--meshServiceName' argument can indicate that the MeshAgent is being used for remote access.

Sigma rule (View on GitHub)

 1title: Remote Access Tool - Potential MeshAgent Execution - MacOS
 2id: 22c45af6-f590-4d44-bab3-b5b2d2a2b6d9
 3related:
 4    - id: 2fbbe9ff-0afc-470b-bdc0-592198339968
 5      type: similar
 6status: experimental
 7description: |
 8    Detects potential execution of MeshAgent which is a tool used for remote access.
 9    Historical data shows that threat actors rename MeshAgent binary to evade detection.
10    Matching command lines with the '--meshServiceName' argument can indicate that the MeshAgent is being used for remote access.    
11references:
12    - https://www.huntress.com/blog/know-thy-enemy-a-novel-november-case-on-persistent-remote-access
13    - https://thecyberexpress.com/ukraine-hit-by-meshagent-malware-campaign/
14    - https://wazuh.com/blog/how-to-detect-meshagent-with-wazuh/
15    - https://www.security.com/threat-intelligence/medusa-ransomware-attacks
16author: Norbert Jaśniewicz (AlphaSOC)
17date: 2025-05-19
18tags:
19    - attack.command-and-control
20    - attack.t1219.002
21logsource:
22    category: process_creation
23    product: macos
24detection:
25    selection:
26        CommandLine|contains: '--meshServiceName'
27    condition: selection
28falsepositives:
29    - Environments that legitimately use MeshAgent
30level: medium

References

Related rules

to-top