← Back to Explore
sigmamediumHunting
Remote Access Tool - Potential MeshAgent Execution - MacOS
Detects potential execution of MeshAgent which is a tool used for remote access. Historical data shows that threat actors rename MeshAgent binary to evade detection. Matching command lines with the '--meshServiceName' argument can indicate that the MeshAgent is being used for remote access.
Detection Query
selection:
CommandLine|contains: --meshServiceName
condition: selection
Author
Norbert Jaśniewicz (AlphaSOC)
Created
2025-05-19
Data Sources
macosProcess Creation Events
Platforms
macos
References
Tags
attack.command-and-controlattack.t1219.002
Raw Content
title: Remote Access Tool - Potential MeshAgent Execution - MacOS
id: 22c45af6-f590-4d44-bab3-b5b2d2a2b6d9
related:
- id: 2fbbe9ff-0afc-470b-bdc0-592198339968
type: similar
status: experimental
description: |
Detects potential execution of MeshAgent which is a tool used for remote access.
Historical data shows that threat actors rename MeshAgent binary to evade detection.
Matching command lines with the '--meshServiceName' argument can indicate that the MeshAgent is being used for remote access.
references:
- https://www.huntress.com/blog/know-thy-enemy-a-novel-november-case-on-persistent-remote-access
- https://thecyberexpress.com/ukraine-hit-by-meshagent-malware-campaign/
- https://wazuh.com/blog/how-to-detect-meshagent-with-wazuh/
- https://www.security.com/threat-intelligence/medusa-ransomware-attacks
author: Norbert Jaśniewicz (AlphaSOC)
date: 2025-05-19
tags:
- attack.command-and-control
- attack.t1219.002
logsource:
category: process_creation
product: macos
detection:
selection:
CommandLine|contains: '--meshServiceName'
condition: selection
falsepositives:
- Environments that legitimately use MeshAgent
level: medium