068. Detecting RMMs from Ransomware Affiliate's Toolkit: MeshAgent
Hello everyone! Let's keep talking about ransomware affiliate's toolkit. This time about remote monitoring and management (RMM) software. If you checked the report I shared yesterday, you may noticed the adversary used a number of RMMs. We are going to talk about one of them - MeshAgent.
Another example of MeshAgent abuse is Enigma Wolf, you can read about this ransomware gang in this report.
As always, we can search for processes with MeshAgent-related metadata:
event_type: "processcreatewin"
AND
(proc_file_originalfilename: "MeshAgent.exe"
OR
proc_file_productname: "MeshCentral Agent")
Depending on configuration, you may also observe meshcentral[.]com DNS requests:
event_type: "dnsreq"
AND
dns_rname: "meshcentral.com"
If your EDR solution collects PDB data, you can use for detection as well:
event_type: "processcreatewin"
AND
proc_file_pdb_path: "MeshAgent"
I'm sure you can find event more detection opportunities!
See you tomorrow!
Comments
Post a Comment