Remote Access Tool - Renamed MeshAgent Execution - MacOS
Detects the execution of a renamed instance of the Remote Monitoring and Management (RMM) tool, MeshAgent. RMM tools such as MeshAgent are commonly utilized by IT administrators for legitimate remote support and system management. However, malicious actors may exploit these tools by renaming them to bypass detection mechanisms, enabling unauthorized access and control over compromised systems.
Sigma rule (View on GitHub)
1title: Remote Access Tool - Renamed MeshAgent Execution - MacOS
2id: bd3b5eaa-439d-4a42-8f35-a49f5c8a2582
3related:
4 - id: b471f462-eb0d-4832-be35-28d94bdb4780
5 type: similar
6 - id: 22c45af6-f590-4d44-bab3-b5b2d2a2b6d9
7 type: derived
8status: experimental
9description: |
10 Detects the execution of a renamed instance of the Remote Monitoring and Management (RMM) tool, MeshAgent.
11 RMM tools such as MeshAgent are commonly utilized by IT administrators for legitimate remote support and system management.
12 However, malicious actors may exploit these tools by renaming them to bypass detection mechanisms, enabling unauthorized access and control over compromised systems.
13references:
14 - https://www.huntress.com/blog/know-thy-enemy-a-novel-november-case-on-persistent-remote-access
15 - https://thecyberexpress.com/ukraine-hit-by-meshagent-malware-campaign/
16 - https://wazuh.com/blog/how-to-detect-meshagent-with-wazuh/
17 - https://www.security.com/threat-intelligence/medusa-ransomware-attacks
18author: Norbert Jaśniewicz (AlphaSOC)
19date: 2025-05-19
20tags:
21 - attack.command-and-control
22 - attack.defense-evasion
23 - attack.t1219.002
24 - attack.t1036.003
25logsource:
26 category: process_creation
27 product: macos
28detection:
29 selection_meshagent:
30 - CommandLine|contains: '--meshServiceName'
31 - OriginalFileName|contains: 'meshagent'
32 filter_main_legitimate:
33 Image|endswith:
34 - '/meshagent'
35 - '/meshagent_osx64'
36 condition: selection_meshagent and not 1 of filter_main_*
37falsepositives:
38 - Unknown
39level: high
References
Related rules
- Remote Access Tool - Renamed MeshAgent Execution - Windows
- Remote Access Tool - Potential MeshAgent Execution - MacOS
- Remote Access Tool - Potential MeshAgent Execution - Windows
- Antivirus Exploitation Framework Detection
- Anydesk Temporary Artefact