From 014d169f83a2d9a16435dcb08020bb9f79f5c1d2 Mon Sep 17 00:00:00 2001
From: Kostas <kostastsale@gmail.com>
Date: Sun, 22 Sep 2024 10:26:02 -0700
Subject: [PATCH] Merge PR #5020 from @tsale - Add `Remote Access Tool -
 MeshAgent Command Execution via MeshCentral`

new: Remote Access Tool - MeshAgent Command Execution via MeshCentral

---------

Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com>
Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
---
 ...win_remote_access_tools_meshagent_exec.yml | 29 +++++++++++++++++++
 1 file changed, 29 insertions(+)
 create mode 100644 rules/windows/process_creation/proc_creation_win_remote_access_tools_meshagent_exec.yml

diff --git a/rules/windows/process_creation/proc_creation_win_remote_access_tools_meshagent_exec.yml b/rules/windows/process_creation/proc_creation_win_remote_access_tools_meshagent_exec.yml
new file mode 100644
index 000000000..22c35ffb5
--- /dev/null
+++ b/rules/windows/process_creation/proc_creation_win_remote_access_tools_meshagent_exec.yml
@@ -0,0 +1,29 @@
+title: Remote Access Tool - MeshAgent Command Execution via MeshCentral
+id: 74a2b202-73e0-4693-9a3a-9d36146d0775
+status: experimental
+description: |
+    Detects the use of MeshAgent to execute commands on the target host, particularly when threat actors might abuse it to execute commands directly.
+    MeshAgent can execute commands on the target host by leveraging win-console to obscure their activities and win-dispatcher to run malicious code through IPC with child processes.
+references:
+    - https://github.com/Ylianst/MeshAgent
+    - https://github.com/Ylianst/MeshAgent/blob/52cf129ca43d64743181fbaf940e0b4ddb542a37/modules/win-dispatcher.js#L173
+    - https://github.com/Ylianst/MeshAgent/blob/52cf129ca43d64743181fbaf940e0b4ddb542a37/modules/win-info.js#L55
+author: '@Kostastsale'
+date: 2024-09-22
+tags:
+    - attack.command-and-control
+    - attack.t1219
+logsource:
+    product: windows
+    category: process_creation
+detection:
+    selection:
+        ParentImage|endswith: '\meshagent.exe'
+        Image|endswith:
+            - '\cmd.exe'
+            - '\powershell.exe'
+            - '\pwsh.exe'
+    condition: selection
+falsepositives:
+    - False positives can be found in environments using MessAgent for remote management, analysis should prioritize the grandparent process, MessAgent.exe, and scrutinize the resulting child processes triggered by any suspicious interactive commands directed at the target host.
+level: medium