EXPLORE
Sign In
← Back to Explore
sigmahighHunting

Remote Access Tool - Renamed MeshAgent Execution - MacOS

Detects the execution of a renamed instance of the Remote Monitoring and Management (RMM) tool, MeshAgent. RMM tools such as MeshAgent are commonly utilized by IT administrators for legitimate remote support and system management. However, malicious actors may exploit these tools by renaming them to bypass detection mechanisms, enabling unauthorized access and control over compromised systems.

MITRE ATT&CK

T1219.002T1036.003
command-and-controldefense-evasion

Detection Query

selection_meshagent:
  - CommandLine|contains: --meshServiceName
  - OriginalFileName|contains: meshagent
filter_main_legitimate:
  Image|endswith:
    - /meshagent
    - /meshagent_osx64
condition: selection_meshagent and not 1 of filter_main_*

Author

Norbert Jaśniewicz (AlphaSOC)

Created

2025-05-19

Data Sources

macosProcess Creation Events

Platforms

macos

References

Tags

attack.command-and-controlattack.defense-evasionattack.t1219.002attack.t1036.003
Raw Content
title: Remote Access Tool - Renamed MeshAgent Execution - MacOS
id: bd3b5eaa-439d-4a42-8f35-a49f5c8a2582
related:
    - id: b471f462-eb0d-4832-be35-28d94bdb4780
      type: similar
    - id: 22c45af6-f590-4d44-bab3-b5b2d2a2b6d9
      type: derived
status: experimental
description: |
    Detects the execution of a renamed instance of the Remote Monitoring and Management (RMM) tool, MeshAgent.
    RMM tools such as MeshAgent are commonly utilized by IT administrators for legitimate remote support and system management.
    However, malicious actors may exploit these tools by renaming them to bypass detection mechanisms, enabling unauthorized access and control over compromised systems.
references:
    - https://www.huntress.com/blog/know-thy-enemy-a-novel-november-case-on-persistent-remote-access
    - https://thecyberexpress.com/ukraine-hit-by-meshagent-malware-campaign/
    - https://wazuh.com/blog/how-to-detect-meshagent-with-wazuh/
    - https://www.security.com/threat-intelligence/medusa-ransomware-attacks
author: Norbert Jaśniewicz (AlphaSOC)
date: 2025-05-19
tags:
    - attack.command-and-control
    - attack.defense-evasion
    - attack.t1219.002
    - attack.t1036.003
logsource:
    category: process_creation
    product: macos
detection:
    selection_meshagent:
        - CommandLine|contains: '--meshServiceName'
        - OriginalFileName|contains: 'meshagent'
    filter_main_legitimate:
        Image|endswith:
            - '/meshagent'
            - '/meshagent_osx64'
    condition: selection_meshagent and not 1 of filter_main_*
falsepositives:
    - Unknown
level: high