Detectionmediumexperimental

Remote Access Tool - Potential MeshAgent Execution - MacOS

Detects potential execution of MeshAgent which is a tool used for remote access. Historical data shows that threat actors rename MeshAgent binary to evade detection. Matching command lines with the '--meshServiceName' argument can indicate that the MeshAgent is being used for remote access.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Norbert Jaśniewicz (AlphaSOC)Created Mon May 1922c45af6-f590-4d44-bab3-b5b2d2a2b6d9macos

Log Source

macOSProcess Creation

ProductmacOS← raw: macos

CategoryProcess Creation← raw: process_creation

Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.

Detection Logic

detection:
    selection:
        CommandLine|contains: '--meshServiceName'
    condition: selection

False Positives

Environments that legitimately use MeshAgent

References

MITRE ATT&CK

Tactics

TA0011 · Command and Control

Other

attack.t1219.002

Related Rules

SimilarDetectionmedium

Remote Access Tool - Potential MeshAgent Execution - Windows

Detects similar activity. Both rules may fire on overlapping events.

Rule Metadata

Rule ID

22c45af6-f590-4d44-bab3-b5b2d2a2b6d9

Status

experimental

Level

medium

Type

Detection

Created

Mon May 19

Author

Norbert Jaśniewicz (AlphaSOC)

Path

rules/macos/process_creation/proc_creation_macos_remote_access_tools_meshagent_arguments.yml

Raw Tags

attack.command-and-controlattack.t1219.002

View on GitHub