Remote Access Tool - Renamed MeshAgent Execution - MacOS

Original Source: [Sigma source]
Title: Remote Access Tool - Renamed MeshAgent Execution - MacOS
Status: experimental
Description:Detects the execution of a renamed instance of the Remote Monitoring and Management (RMM) tool, MeshAgent. RMM tools such as MeshAgent are commonly utilized by IT administrators for legitimate remote support and system management. However, malicious actors may exploit these tools by renaming them to bypass detection mechanisms, enabling unauthorized access and control over compromised systems.
References:
  -https://www.huntress.com/blog/know-thy-enemy-a-novel-november-case-on-persistent-remote-access
   -https://thecyberexpress.com/ukraine-hit-by-meshagent-malware-campaign/
   -https://wazuh.com/blog/how-to-detect-meshagent-with-wazuh/
   -https://www.security.com/threat-intelligence/medusa-ransomware-attacks
 Author: Norbert Jaƛniewicz (AlphaSOC)
Date: 2025-05-19
modified:None
Tags:
  • -'attack.command-and-control'
  • -'attack.defense-evasion'
  • -'attack.t1219.002'
  • -'attack.t1036.003'
Logsource:
  • category: process_creation
  • product: macos
Detection:
  selection_meshagent:
CommandLine|contains:'--meshServiceName' OriginalFileName|contains:'meshagent'   filter_main_legitimate:
    Image|endswith:
      -'/meshagent'
      -'/meshagent_osx64'

  condition:selection_meshagent and not 1 of filter_main_*
Falsepositives:
  -Unknown
Level: high

© 2024 DetectionCode Website. All Rights Reserved.