Remote Access Tool - MeshAgent Command Execution via MeshCentral

Rule Info

Name
Remote Access Tool - MeshAgent Command Execution via MeshCentral
Author
@Kostastsale
Description
Detects the use of MeshAgent to execute commands on the target host, particularly when threat actors might abuse it to execute commands directly. MeshAgent can execute commands on the target host by leveraging win-console to obscure their activities and win-dispatcher to run malicious code through IPC with child processes.
Date
2024-09-22 00:00:00
Modified
None
Id
74a2b202-73e0-4693-9a3a-9d36146d0775
Tags
attack.command-and-control attack.t1219 DEMO
Type
Community Rule

Rule History

Author
Title
Date
Commit
Kostas
Merge PR #5020 from @tsale - Add `Remote Access Tool - MeshAgent Command Execution via MeshCentral`
2024-09-22