Date: 09/23/2024
Severity: Medium
Summary
Identifies the use of MeshAgent for executing commands on the target host, especially when threat actors exploit it for direct command execution. MeshAgent can leverage win-console to conceal their actions and use win-dispatcher to run malicious code via IPC with child processes.
Indicators of Compromise (IOC) List
ParentImage | \meshagent.exe |
Image | '\cmd.exe' '\powershell.exe' '\pwsh.exe' |
Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection
Detection Query 1 | (resourcename = "Windows Security" AND eventtype = "4688") AND parentprocessname = "\meshagent.exe" AND newparentprocessname In ("\cmd.exe","\powershell.exe","\pwsh.exe") |
Detection Query 2 | technologygroup = "EDR" AND parentprocessname = "\meshagent.exe" AND newparentprocessname In ("\cmd.exe","\powershell.exe","\pwsh.exe") |
Detection Query 3 | ((Resourcename = "Sysmon" AND eventtype = "1" ) AND parentimage = "\meshagent.exe" ) AND image In ("\cmd.exe","\powershell.exe","\pwsh.exe") |
Detection Query 4 | (technologygroup = "EDR" AND parentimage = "\meshagent.exe" ) AND image In ("\cmd.exe","\powershell.exe","\pwsh.exe") |
Reference:
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_remote_access_tools_meshagent_exec.yml