Remote Access Tool - MeshAgent Command Execution via MeshCentral

Rule Info

Name
Remote Access Tool - MeshAgent Command Execution via MeshCentral
Author
@Kostastsale
Description
Detects the use of MeshAgent to execute commands on the target host, particularly when threat actors might abuse it to execute commands directly. MeshAgent can execute commands on the target host by leveraging win-console to obscure their activities and win-dispatcher to run malicious code through IPC with child processes.
Reference
https://github.com/Ylianst/MeshAgent
Date
2024-09-22 00:00:00
Modified
None
Id
74a2b202-73e0-4693-9a3a-9d36146d0775
Tags
attack.command-and-control attack.t1219
Type
Community Rule
Link to Public Repo
https://github.com/SigmaHQ/sigma/search?q=74a2b202-73e0-4693-9a3a-9d36146d0775

Rule History

Author
Title
Date
Commit
Kostas
Merge PR #5020 from @tsale - Add `Remote Access Tool - MeshAgent Command Execution via MeshCentral`
2024-09-22
014d169f8
THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022