Remote Access Tool - Renamed MeshAgent Execution - Windows

Detects the execution of a renamed instance of the Remote Monitoring and Management (RMM) tool, MeshAgent. RMM tools such as MeshAgent are commonly utilized by IT administrators for legitimate remote support and system management. However, malicious actors may exploit these tools by renaming them to bypass detection mechanisms, enabling unauthorized access and control over compromised systems.

Sigma rule (View on GitHub)

 1title: Remote Access Tool - Renamed MeshAgent Execution - Windows
 2id: b471f462-eb0d-4832-be35-28d94bdb4780
 3related:
 4    - id: bd3b5eaa-439d-4a42-8f35-a49f5c8a2582
 5      type: similar
 6    - id: 2fbbe9ff-0afc-470b-bdc0-592198339968
 7      type: derived
 8status: experimental
 9description: |
10    Detects the execution of a renamed instance of the Remote Monitoring and Management (RMM) tool, MeshAgent.
11    RMM tools such as MeshAgent are commonly utilized by IT administrators for legitimate remote support and system management.
12    However, malicious actors may exploit these tools by renaming them to bypass detection mechanisms, enabling unauthorized access and control over compromised systems.    
13references:
14    - https://www.huntress.com/blog/know-thy-enemy-a-novel-november-case-on-persistent-remote-access
15    - https://thecyberexpress.com/ukraine-hit-by-meshagent-malware-campaign/
16    - https://wazuh.com/blog/how-to-detect-meshagent-with-wazuh/
17    - https://www.security.com/threat-intelligence/medusa-ransomware-attacks
18author: Norbert Jaśniewicz (AlphaSOC)
19date: 2025-05-19
20tags:
21    - attack.command-and-control
22    - attack.defense-evasion
23    - attack.t1219.002
24    - attack.t1036.003
25logsource:
26    category: process_creation
27    product: windows
28detection:
29    selection_meshagent:
30        - CommandLine|contains: '--meshServiceName'
31        - OriginalFileName|contains: 'meshagent'
32    filter_main_legitimate:
33        Image|endswith: '\meshagent.exe'
34    condition: selection_meshagent and not 1 of filter_main_*
35falsepositives:
36    - Unknown
37level: high

References

Related rules

to-top