Techniques
Sample rules
Remote Access Tool - Potential MeshAgent Execution - MacOS
- source: sigma
- technicques:
- t1219
- t1219.002
Description
Detects potential execution of MeshAgent which is a tool used for remote access. Historical data shows that threat actors rename MeshAgent binary to evade detection. Matching command lines with the ‘–meshServiceName’ argument can indicate that the MeshAgent is being used for remote access.
Detection logic
condition: selection
selection:
CommandLine|contains: --meshServiceName
Remote Access Tool - Potential MeshAgent Execution - Windows
- source: sigma
- technicques:
- t1219
- t1219.002
Description
Detects potential execution of MeshAgent which is a tool used for remote access. Historical data shows that threat actors rename MeshAgent binary to evade detection. Matching command lines with the ‘–meshServiceName’ argument can indicate that the MeshAgent is being used for remote access.
Detection logic
condition: selection
selection:
CommandLine|contains: --meshServiceName