Remote Access Tool - Renamed MeshAgent Execution - MacOS
Detects the execution of a renamed instance of the Remote Monitoring and Management (RMM) tool, MeshAgent. RMM tools such as MeshAgent are commonly utilized by IT administrators for legitimate remote support and system management. However, malicious actors may exploit these tools by renaming them to bypass detection mechanisms, enabling unauthorized access and control over compromised systems.
Sigma rule (View on GitHub)
1title: Remote Access Tool - Renamed MeshAgent Execution - MacOS
2id: bd3b5eaa-439d-4a42-8f35-a49f5c8a2582
3related:
4 - id: b471f462-eb0d-4832-be35-28d94bdb4780
5 type: similar
6 - id: 22c45af6-f590-4d44-bab3-b5b2d2a2b6d9
7 type: derived
8status: experimental
9description: |
10 Detects the execution of a renamed instance of the Remote Monitoring and Management (RMM) tool, MeshAgent.
11 RMM tools such as MeshAgent are commonly utilized by IT administrators for legitimate remote support and system management.
12 However, malicious actors may exploit these tools by renaming them to bypass detection mechanisms, enabling unauthorized access and control over compromised systems.
13references:
14 - https://www.huntress.com/blog/know-thy-enemy-a-novel-november-case-on-persistent-remote-access
15 - https://thecyberexpress.com/ukraine-hit-by-meshagent-malware-campaign/
16 - https://wazuh.com/blog/how-to-detect-meshagent-with-wazuh/
17 - https://www.security.com/threat-intelligence/medusa-ransomware-attacks
18author: Norbert Jaśniewicz (AlphaSOC)
19date: 2025-05-19
20tags:
21 - attack.command-and-control
22 - attack.defense-evasion
23 - attack.t1219.002
24 - attack.t1036.003
25logsource:
26 category: process_creation
27 product: macos
28detection:
29 selection_meshagent:
30 - CommandLine|contains: '--meshServiceName'
31 - OriginalFileName|contains: 'meshagent'
32 filter_main_legitimate:
33 Image|endswith:
34 - '/meshagent'
35 - '/meshagent_osx64'
36 condition: selection_meshagent and not 1 of filter_main_*
37falsepositives:
38 - Unknown
39level: high
References
-
In this blog, Huntress SOC investigators unravel the lateral movement and persistence of an interesting threat actor and their novel infrastructure
Read More -
Over 100 Ukrainian state and local government computers have been compromised with MeshAgent malware in a phishing campaign leveraging trust in the Security
Read More -
This blog post describes how to detect MeshAgent activities using Wazuh. MeshAgent is not inherently malicious but can be abused.
Read More -
Attacks using this ransomware have displayed consistent TTPs and grown steadily since 2023.
Read More
Related rules
- Remote Access Tool - Renamed MeshAgent Execution - Windows
- Remote Access Tool - Potential MeshAgent Execution - MacOS
- Remote Access Tool - Potential MeshAgent Execution - Windows
- Antivirus Exploitation Framework Detection
- Anydesk Temporary Artefact