LoFP LoFP / environments that legitimately use meshagent

Techniques

Sample rules

Remote Access Tool - Potential MeshAgent Execution - MacOS

Description

Detects potential execution of MeshAgent which is a tool used for remote access. Historical data shows that threat actors rename MeshAgent binary to evade detection. Matching command lines with the ‘–meshServiceName’ argument can indicate that the MeshAgent is being used for remote access.

Detection logic

condition: selection
selection:
  CommandLine|contains: --meshServiceName

Remote Access Tool - Potential MeshAgent Execution - Windows

Description

Detects potential execution of MeshAgent which is a tool used for remote access. Historical data shows that threat actors rename MeshAgent binary to evade detection. Matching command lines with the ‘–meshServiceName’ argument can indicate that the MeshAgent is being used for remote access.

Detection logic

condition: selection
selection:
  CommandLine|contains: --meshServiceName