Skip to content

Hide Navigation Hide TOC

Remote Access Tool - Renamed MeshAgent Execution - MacOS (bd3b5eaa-439d-4a42-8f35-a49f5c8a2582)

Detects the execution of a renamed instance of the Remote Monitoring and Management (RMM) tool, MeshAgent. RMM tools such as MeshAgent are commonly utilized by IT administrators for legitimate remote support and system management. However, malicious actors may exploit these tools by renaming them to bypass detection mechanisms, enabling unauthorized access and control over compromised systems.

Cluster A Galaxy A Cluster B Galaxy B Level
Remote Desktop Software - T1219.002 (d4287702-e2f7-4946-bdfa-2c7f5aaa5032) Attack Pattern Remote Access Tool - Renamed MeshAgent Execution - MacOS (bd3b5eaa-439d-4a42-8f35-a49f5c8a2582) Sigma-Rules 1
Rename Legitimate Utilities - T1036.003 (bd5b58a4-a52d-4a29-bc0d-3f1d3968eb6b) Attack Pattern Remote Access Tool - Renamed MeshAgent Execution - MacOS (bd3b5eaa-439d-4a42-8f35-a49f5c8a2582) Sigma-Rules 1
Remote Desktop Software - T1219.002 (d4287702-e2f7-4946-bdfa-2c7f5aaa5032) Attack Pattern Remote Access Tools - T1219 (4061e78c-1284-44b4-9116-73e4ac3912f7) Attack Pattern 2
Rename Legitimate Utilities - T1036.003 (bd5b58a4-a52d-4a29-bc0d-3f1d3968eb6b) Attack Pattern Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0) Attack Pattern 2