false positives can be found in environments using messagent for remote management, analysis should prioritize the grandparent process, messagent.exe, and scrutinize the resulting child processes triggered by any suspicious interactive commands directed at the target host.

t1219
windows
sigma

Techniques

t1219

Sample rules

Remote Access Tool - MeshAgent Command Execution via MeshCentral

source: sigma
technicques:
- t1219

Description

Detects the use of MeshAgent to execute commands on the target host, particularly when threat actors might abuse it to execute commands directly. MeshAgent can execute commands on the target host by leveraging win-console to obscure their activities and win-dispatcher to run malicious code through IPC with child processes.

Detection logic

condition: selection
selection:
  Image|endswith:
  - \cmd.exe
  - \powershell.exe
  - \pwsh.exe
  ParentImage|endswith: \meshagent.exe