Remote Access Tool - Potential MeshAgent Execution - MacOS

Original Source: [Sigma source]

Title: Remote Access Tool - Potential MeshAgent Execution - MacOS
Status: experimental
Description:Detects potential execution of MeshAgent which is a tool used for remote access. Historical data shows that threat actors rename MeshAgent binary to evade detection. Matching command lines with the '--meshServiceName' argument can indicate that the MeshAgent is being used for remote access.
References:
-https://www.huntress.com/blog/know-thy-enemy-a-novel-november-case-on-persistent-remote-access
-https://thecyberexpress.com/ukraine-hit-by-meshagent-malware-campaign/
-https://wazuh.com/blog/how-to-detect-meshagent-with-wazuh/
-https://www.security.com/threat-intelligence/medusa-ransomware-attacks
Author: Norbert Jaśniewicz (AlphaSOC)
Date: 2025-05-19
modified:None
Tags:

-'attack.command-and-control'
-'attack.t1219.002'

Logsource:

category: process_creation
product: macos

Detection:
selection:
CommandLine|contains: '--meshServiceName'
condition:selection
Falsepositives:
-Environments that legitimately use MeshAgent
Level: medium

Sign Up to Personalize and Manage Your Detection

Remote Access Tool - Potential MeshAgent Execution - MacOS