Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionhighexperimental

Remote Access Tool - Renamed MeshAgent Execution - MacOS

Detects the execution of a renamed instance of the Remote Monitoring and Management (RMM) tool, MeshAgent. RMM tools such as MeshAgent are commonly utilized by IT administrators for legitimate remote support and system management. However, malicious actors may exploit these tools by renaming them to bypass detection mechanisms, enabling unauthorized access and control over compromised systems.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
Norbert Jaśniewicz (AlphaSOC)Created Mon May 19bd3b5eaa-439d-4a42-8f35-a49f5c8a2582macos
Log Source
macOSProcess Creation
ProductmacOS← raw: macos
CategoryProcess Creation← raw: process_creation

Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.

Detection Logic
Detection Logic2 selectors
detection:
    selection_meshagent:
        - CommandLine|contains: '--meshServiceName'
        - OriginalFileName|contains: 'meshagent'
    filter_main_legitimate:
        Image|endswith:
            - '/meshagent'
            - '/meshagent_osx64'
    condition: selection_meshagent and not 1 of filter_main_*
False Positives
Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References
1
Resolving title…
huntress.com
2
Resolving title…
thecyberexpress.com
3
Resolving title…
wazuh.com
4
Resolving title…
security.com
MITRE ATT&CK

Other

attack.t1219.002
Related Rules
SimilarDetectionhigh

Remote Access Tool - Renamed MeshAgent Execution - Windows

Detects the execution of a renamed instance of the Remote Monitoring and Management (RMM) tool, MeshAgent. RMM tools such as MeshAgent are commonly utilized by IT administrators for legitimate remote support and system management. However, malicious actors may exploit these tools by renaming them to bypass detection mechanisms, enabling unauthorized access and control over compromised systems.

Detects similar activity. Both rules may fire on overlapping events.

DerivedDetectionmedium

Remote Access Tool - Potential MeshAgent Execution - MacOS

Detects potential execution of MeshAgent which is a tool used for remote access. Historical data shows that threat actors rename MeshAgent binary to evade detection. Matching command lines with the '--meshServiceName' argument can indicate that the MeshAgent is being used for remote access.

This rule was derived from the related rule - both detect similar activity with different scope.

Rule Metadata
Rule ID
bd3b5eaa-439d-4a42-8f35-a49f5c8a2582
Status
experimental
Level
high
Type
Detection
Created
Mon May 19
Author
Norbert Jaśniewicz (AlphaSOC)
Path
rules/macos/process_creation/proc_creation_macos_remote_access_tools_renamed_meshagent_execution.yml
Raw Tags
attack.command-and-controlattack.defense-evasionattack.t1219.002attack.t1036.003
View on GitHub