Detect MeshAgent Command Execution via MeshCentral

calendar Sep 21, 2024 · attack.command_and_control attack.t1219  ·
Share on: linkedin copy

Detects the use of MeshAgent to execute commands on the target host, particularly when threat actors might abuse it to execute commands directly. MeshAgent can execute commands on the target host by leveraging win-console to obscure their activities and win-dispatcher to run malicious code through IPC with child processes.

Sigma rule (View on GitHub)

 1title: Detect MeshAgent Command Execution via MeshCentral
 2id: 74a2b202-73e0-4693-9a3a-9d36146d0775
 3status: Experimental
 4description: |
 5    Detects the use of MeshAgent to execute commands on the target host, particularly when threat actors might abuse it to execute commands directly.
 6    MeshAgent can execute commands on the target host by leveraging win-console to obscure their activities and win-dispatcher to run malicious code through IPC with child processes.    
 7author: '@Kostastsale'
 8references:
 9  - https://github.com/Ylianst/MeshAgent
10  - https://github.com/Ylianst/MeshAgent/blob/52cf129ca43d64743181fbaf940e0b4ddb542a37/modules/win-dispatcher.js#L173
11  - https://github.com/Ylianst/MeshAgent/blob/52cf129ca43d64743181fbaf940e0b4ddb542a37/modules/win-info.js#L55
12tags:
13    - attack.command_and_control
14    - attack.t1219
15date: 2024-09-20
16logsource:
17  product: windows
18  category: process_creation
19detection:
20  selection_parent:
21    ParentImage|endswith:
22      - '\meshagent.exe'
23  selection_child:
24    Image|endswith:
25      - '\cmd.exe'
26      - '\powershell.exe'
27  condition: selection_parent and selection_child
28falsepositives:
29  - False positives can be found in environments using MessAgent for remote management, analysis should prioritize the grandparent process, MessAgent.exe, and scrutinize the resulting child processes triggered by any suspicious interactive commands directed at the target host.
30level: medium```

References

Related rules

to-top