SigmaHQ
New rules: MeshAgent arguments
Summary of the Pull Request
This Pull Request adds two new sigma rules that might prove useful for detecting usage of renamed MeshCentral Agent (MeshAgent) binaries. Additionally, a typo from an already present rule is fixed.
Changing
new: Remote Access Tool - Potential MeshAgent Usage - MacOS new: Remote Access Tool - Potential MeshAgent Usage - Windows new: Remote Access Tool - Suspicious MeshAgent Usage - MacOS new: Remote Access Tool - Suspicious MeshAgent Usage - Windows update: Remote Access Tool - MeshAgent Command Execution via MeshCentral - typo fixed
Example Log Event
Fixed Issues
SigmaHQ Rule Creation Conventions
- If your PR adds new rules, please consider following and applying these conventions
We could add a level: high rule to match when the command line is found but the executable is not named with its default name i.e. was renamed. In addition the Windows rule can look for the OriginalFileName.
We could add a
level: highrule to match when the command line is found but the executable is not named with its default name i.e. was renamed. In addition the Windows rule can look for theOriginalFileName.
I have added two new rules. I assume, judging by this file, that MacOS also has OriginalFileName field.
Hi @norbert791,
I’ve made suggestions on one of your newly added rules that detects execution of a renamed MeshAgent binary. While the changes suggestion was provided to just one rule, the same feedback applies to your other similar rules as well. The title and description didn’t clearly reflect the rule’s detection logic and intent.
Please consider applying similar improvements across the other rules. Also, rename the file to follow this convention: proc_creation_win_remote_access_tools_renamed_meshagent_execution.yml
Thank you for your feedback @swachchhanda000. I applied your suggestions to the relevant parts of the rules.