Detectionmediumexperimental

Remote Access Tool - Potential MeshAgent Execution - Windows

Detects potential execution of MeshAgent which is a tool used for remote access. Historical data shows that threat actors rename MeshAgent binary to evade detection. Matching command lines with the '--meshServiceName' argument can indicate that the MeshAgent is being used for remote access.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Norbert Jaśniewicz (AlphaSOC)Created Mon May 192fbbe9ff-0afc-470b-bdc0-592198339968windows

Log Source

WindowsProcess Creation

ProductWindows← raw: windows

CategoryProcess Creation← raw: process_creation

Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.

Detection Logic

detection:
    selection:
        CommandLine|contains: '--meshServiceName'
    condition: selection

False Positives

Environments that legitimately use MeshAgent

References

MITRE ATT&CK

Tactics

TA0011 · Command and Control

Other

attack.t1219.002

Related Rules

SimilarDetectionmedium

Remote Access Tool - Potential MeshAgent Execution - MacOS

Detects similar activity. Both rules may fire on overlapping events.

Rule Metadata

Rule ID

2fbbe9ff-0afc-470b-bdc0-592198339968

Status

experimental

Level

medium

Type

Detection

Created

Mon May 19

Author

Norbert Jaśniewicz (AlphaSOC)

Path

rules/windows/process_creation/proc_creation_win_remote_access_tools_meshagent_arguments.yml

Raw Tags

attack.command-and-controlattack.t1219.002

View on GitHub