This pull request adds a new detection rule for identifying the use of MeshAgent to execute commands on a target host. The rule focuses on detecting scenarios where threat actors might abuse MeshAgent to execute commands directly. Specifically, it looks for the use of win-console to obscure activities and win-dispatcher to run malicious code through IPC with child processes.
Changelog
new: Remote Access Tool - MeshAgent Command Execution via MeshCentral
Example Log Event
N/A
Fixed Issues
N/A
SigmaHQ Rule Creation Conventions
If your PR adds new rules, please consider following and applying these conventions
Summary of the Pull Request
This pull request adds a new detection rule for identifying the use of MeshAgent to execute commands on a target host. The rule focuses on detecting scenarios where threat actors might abuse MeshAgent to execute commands directly. Specifically, it looks for the use of win-console to obscure activities and win-dispatcher to run malicious code through IPC with child processes.
Changelog
new: Remote Access Tool - MeshAgent Command Execution via MeshCentral
Example Log Event
N/A
Fixed Issues
N/A
SigmaHQ Rule Creation Conventions