From 3a6e870d9bd2e8f2407dbc50efa01ea7adf0f6fb Mon Sep 17 00:00:00 2001 From: Kostas Date: Fri, 20 Sep 2024 23:56:15 -0700 Subject: [PATCH] Added MeshCentral --- yaml/meshcentral.yaml | 66 ++++++++++++++++++++++++++++++------------- 1 file changed, 47 insertions(+), 19 deletions(-) diff --git a/yaml/meshcentral.yaml b/yaml/meshcentral.yaml index 7b496f1d..2642320b 100644 --- a/yaml/meshcentral.yaml +++ b/yaml/meshcentral.yaml @@ -1,28 +1,51 @@ Name: MeshCentral -Description: MeshCentral is a remote monitoring and management (RMM) tool. More information - will be added as it becomes available. -Author: '' -Created: '' -LastModified: 2/8/2024 +Description: > + MeshCentral is a remote monitoring and management (RMM) tool. MeshAgent used along with MeshCentral to remotely manage computers. MeshAgent can execute commands on the target host by leveraging win-console to obscure their activities and win-dispatcher to run malicious code through IPC with child processes. + To reduce the number of false positives in environments that already use MessAgent as their remote management tool, investigations should focus on the grandparent parent command, MessAgent.exe, and focus on the child processes created as a result of the interactive suspicious commands to the target host. +Author: '@kostastsale' +Created: '2024-09-20' +LastModified: '2024-09-20' Details: - Website: '' + Website: 'https://meshcentral.com/' PEMetadata: - Filename: '' + Filename: 'MeshAgent.exe' OriginalFileName: '' - Description: '' - Privileges: '' - Free: '' - Verification: '' - SupportedOS: [] - Capabilities: [] - Vulnerabilities: [] + Description: 'MeshCentral Background Service Agent' + Privileges: 'SYSTEM' + Free: 'Yes' + Verification: 'N/A' + SupportedOS: + - Windows + - Linux + - MacOS + - FreeBSD + Capabilities: + - Remote Desktop & Terminal + - Remote File Access + - Text and Voice Chat + - Server File Storage + - Real-time User interface + - Port Forwarding + Vulnerabilities: + - CVE-2024-26135 InstallationPaths: - meshcentral*.exe - - mesh*.exe + - meshagent*.exe Artifacts: - Disk: [] - EventLog: [] - Registry: [] + Disk: + - File: C:\Program Files\Mesh Agent\MeshAgent.exe + Description: Local MeshAgent service binary after installation + OS: Windows + - File: C:\Program Files\Mesh Agent\MeshAgent.msh + Description: Local MeshAgent service configuration file. Contains configuration settings including the MeshCentral server address, port, and other settings. If the MeshAgent is run without being installed, the configuration file is created in the same directory as the MeshAgent binary. + OS: Windows + EventLog: + - EventID: 7045 + ProviderName: Service Control Manager + LogFile: System.evtx + ServiceName: Mesh Agent background service + ImagePath: '"C:\\Program Files\\Mesh Agent\\MeshAgent.exe"' + Description: Service installation event as result of MeshAgent installation. Network: - Description: Known remote domains Domains: @@ -34,6 +57,11 @@ Detections: Description: Detects potential network activity of MeshCentral RMM tool - Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/meshcentral_processes_sigma.yml Description: Detects potential processes activity of MeshCentral RMM tool +- Sigma: https://github.com/tsale/Sigma_rules/blob/main/Threat%20Hunting%20Queries/proc_creation_windows_meshagent.yml + Name: Detects MeshAgent Command Execution via MeshCentral References: - https://ylianst.github.io/MeshCentral/meshcentral/ -Acknowledgement: [] +- https://github.com/Ylianst/MeshAgent +Acknowledgement: +- Person: Kostas + Handle: '@kostastsale'