New rules: MeshAgent arguments

[norbert791]

Summary of the Pull Request

This Pull Request adds two new sigma rules that might prove useful for detecting usage of renamed MeshCentral Agent (MeshAgent) binaries. Additionally, a typo from an already present rule is fixed.

Changing

new: Remote Access Tool - Potential MeshAgent Usage - MacOS
new: Remote Access Tool - Potential MeshAgent Usage - Windows
new: Remote Access Tool - Suspicious MeshAgent Usage - MacOS
new: Remote Access Tool - Suspicious MeshAgent Usage - Windows
update: Remote Access Tool - MeshAgent Command Execution via MeshCentral - typo fixed

Example Log Event

Fixed Issues

SigmaHQ Rule Creation Conventions

• If your PR adds new rules, please consider following and applying these conventions

[github-actions]

Welcome @norbert791 👋

It looks like this is your first pull request on the Sigma rules repository!

Please make sure to read the SigmaHQ conventions document to make sure your contribution is adhering to best practices and has all the necessary elements in place for a successful approval.

Thanks again, and welcome to the Sigma community! 😃

[frack113]

Suggested change

	CommandLine|windash|contains: --meshServiceName
	CommandLine|contains|windash: --meshServiceName

to keep the logic with the rest of the repo

[swachchhanda000]

Isn't windash meant to be used for a single '-' or '/'?
if the intention to use windash is to also watch for '/meshServiceName', the windash won't do it because here is the pysigma conversion of this rule to SPL
CommandLine="*--meshServiceName*" OR CommandLine="*-/meshServiceName*" OR CommandLine="*-–meshServiceName*" OR CommandLine="*-—meshServiceName*" OR CommandLine="*-―meshServiceName*" | table CommandLine,ParentImage,Image

I'm also not sure if /meshServiceName works instead of --meshServiceName

[norbert791]

You're right, it's not a use case for windash.
I've verified that neither /meshServiceName nor -meshServiceName does not work instead of --meshServiceName so it can be just removed.

[swachchhanda000]

Suggested change

modified: 2025-05-19

You don't need the field 'modified' for newly added rule

[swachchhanda000]

Suggested change

	- attack.t1219
	- attack.t1219.002

[swachchhanda000]

Suggested change

modified: 2025-05-19

[swachchhanda000]

Suggested change

	- attack.t1219
	- attack.t1219.002

[swachchhanda000]

Isn't windash meant to be used for a single '-' or '/'?
if the intention to use windash is to also watch for '/meshServiceName', the windash won't do it because here is the pysigma conversion of this rule to SPL
CommandLine="*--meshServiceName*" OR CommandLine="*-/meshServiceName*" OR CommandLine="*-–meshServiceName*" OR CommandLine="*-—meshServiceName*" OR CommandLine="*-―meshServiceName*" | table CommandLine,ParentImage,Image

I'm also not sure if /meshServiceName works instead of --meshServiceName

[swachchhanda000]

Suggested change

	CommandLine|contains: --meshServiceName
	CommandLine|contains: '--meshServiceName'

[swachchhanda000]

Suggested change

	CommandLine|contains: --meshServiceName
	CommandLine|contains: '--meshServiceName'

[swachchhanda000]

Approving it but adding the quotes for uniformity

[phantinuss]

We could add a level: high rule to match when the command line is found but the executable is not named with its default name i.e. was renamed. In addition the Windows rule can look for the OriginalFileName.

[norbert791]

We could add a level: high rule to match when the command line is found but the executable is not named with its default name i.e. was renamed. In addition the Windows rule can look for the OriginalFileName.

I have added two new rules. I assume, judging by this file, that MacOS also has OriginalFileName field.