From 7537634077225ba6b553f26314d7de9b051619d8 Mon Sep 17 00:00:00 2001
From: "github-actions[bot]"
 <41898282+github-actions[bot]@users.noreply.github.com>
Date: Wed, 25 Jun 2025 20:16:06 +0000
Subject: [PATCH] Sigma Rule Update (2025-06-25  20:15:58) (#82)

Co-authored-by: YamatoSecurity <YamatoSecurity@users.noreply.github.com>
---
 config/security_rules.json | 34 ++++++++++++++++++++++++++++++++++
 1 file changed, 34 insertions(+)

diff --git a/config/security_rules.json b/config/security_rules.json
index 45d60a80..05883bc7 100644
--- a/config/security_rules.json
+++ b/config/security_rules.json
@@ -6264,6 +6264,23 @@
     ],
     "title": "Allow Service Access Using Security Descriptor Tampering Via Sc.EXE"
   },
+  {
+    "category": "process_creation",
+    "channel": [
+      "sec"
+    ],
+    "description": "Detects potential execution of MeshAgent which is a tool used for remote access.\nHistorical data shows that threat actors rename MeshAgent binary to evade detection.\nMatching command lines with the '--meshServiceName' argument can indicate that the MeshAgent is being used for remote access.\n",
+    "event_ids": [
+      "4688"
+    ],
+    "id": "8137d225-9af4-eac6-7709-6bcb96a183f2",
+    "level": "medium",
+    "service": "",
+    "subcategory_guids": [
+      "0CCE922B-69AE-11D9-BED3-505054503030"
+    ],
+    "title": "Remote Access Tool - Potential MeshAgent Execution - Windows"
+  },
   {
     "category": "process_creation",
     "channel": [
@@ -13727,6 +13744,23 @@
     ],
     "title": "Suspicious GUP Usage"
   },
+  {
+    "category": "process_creation",
+    "channel": [
+      "sec"
+    ],
+    "description": "Detects the execution of a renamed instance of the Remote Monitoring and Management (RMM) tool, MeshAgent.\nRMM tools such as MeshAgent are commonly utilized by IT administrators for legitimate remote support and system management.\nHowever, malicious actors may exploit these tools by renaming them to bypass detection mechanisms, enabling unauthorized access and control over compromised systems.\n",
+    "event_ids": [
+      "4688"
+    ],
+    "id": "3ab572a4-6b9c-6004-a772-cf0ce1400109",
+    "level": "high",
+    "service": "",
+    "subcategory_guids": [
+      "0CCE922B-69AE-11D9-BED3-505054503030"
+    ],
+    "title": "Remote Access Tool - Renamed MeshAgent Execution - Windows"
+  },
   {
     "category": "process_creation",
     "channel": [