Remote Access Tool - MeshAgent Command Execution via MeshCentral
Detects the use of MeshAgent to execute commands on the target host, particularly when threat actors might abuse it to execute commands directly. MeshAgent can execute commands on the target host by leveraging win-console to obscure their activities and win-dispatcher to run malicious code through IPC with child processes.
Sigma rule (View on GitHub)
1title: Remote Access Tool - MeshAgent Command Execution via MeshCentral
2id: 74a2b202-73e0-4693-9a3a-9d36146d0775
3status: experimental
4description: |
5 Detects the use of MeshAgent to execute commands on the target host, particularly when threat actors might abuse it to execute commands directly.
6 MeshAgent can execute commands on the target host by leveraging win-console to obscure their activities and win-dispatcher to run malicious code through IPC with child processes.
7references:
8 - https://github.com/Ylianst/MeshAgent
9 - https://github.com/Ylianst/MeshAgent/blob/52cf129ca43d64743181fbaf940e0b4ddb542a37/modules/win-dispatcher.js#L173
10 - https://github.com/Ylianst/MeshAgent/blob/52cf129ca43d64743181fbaf940e0b4ddb542a37/modules/win-info.js#L55
11author: '@Kostastsale'
12date: 2024-09-22
13tags:
14 - attack.command-and-control
15 - attack.t1219
16logsource:
17 product: windows
18 category: process_creation
19detection:
20 selection:
21 ParentImage|endswith: '\meshagent.exe'
22 Image|endswith:
23 - '\cmd.exe'
24 - '\powershell.exe'
25 - '\pwsh.exe'
26 condition: selection
27falsepositives:
28 - False positives can be found in environments using MessAgent for remote management, analysis should prioritize the grandparent process, MessAgent.exe, and scrutinize the resulting child processes triggered by any suspicious interactive commands directed at the target host.
29level: medium
References
-
MeshAgent used along with MeshCentral to remotely manage computers. Many variations of the background management agent are included as binaries in the MeshCentral project. - Ylianst/MeshAgent
Read More -
MeshAgent used along with MeshCentral to remotely manage computers. Many variations of the background management agent are included as binaries in the MeshCentral project. - Ylianst/MeshAgent
Read More -
MeshAgent used along with MeshCentral to remotely manage computers. Many variations of the background management agent are included as binaries in the MeshCentral project. - Ylianst/MeshAgent
Read More
Related rules
- DNS Query To Remote Access Software Domain From Non-Browser App
- Remote Access Tool - AnyDesk Incoming Connection
- Anydesk Temporary Artefact
- DNS Query To AzureWebsites.NET By Non-Browser Process
- GoToAssist Temporary Installation Artefact