068. Detecting RMMs from Ransomware Affiliate's Toolkit: MeshAgent

Hello everyone! Let's keep talking about ransomware affiliate's toolkit. This time about remote monitoring and management (RMM) software. If you checked the report I shared yesterday, you may noticed the adversary used a number of RMMs. We are going to talk about one of them - MeshAgent.


Another example of MeshAgent abuse is Enigma Wolf, you can read about this ransomware gang in this report.

As always, we can search for processes with MeshAgent-related metadata:

event_type: "processcreatewin"

AND

(proc_file_originalfilename: "MeshAgent.exe"

OR

proc_file_productname: "MeshCentral Agent")

Depending on configuration, you may also observe meshcentral[.]com DNS requests:

event_type: "dnsreq"

AND

dns_rname: "meshcentral.com"

If your EDR solution collects PDB data, you can use for detection as well:

event_type: "processcreatewin"

AND

proc_file_pdb_path: "MeshAgent"

I'm sure you can find event more detection opportunities!

See you tomorrow!

Comments

Popular posts from this blog

033. Free Google Threat Intelligence Course

001. The Zeltser Challenge

012. They Want to Know Everything About Your System!