Update generated site files

magicsword-io · Sep 23, 2024 · 3a669d6 · 3a669d6
1 parent a00493f
commit 3a669d6
Show file tree

Hide file tree

Showing 4 changed files with 93 additions and 31 deletions.
diff --git a/website/pages/tools/meshcentral.mdx b/website/pages/tools/meshcentral.mdx
@@ -1,5 +1,5 @@
 ---
-description = "MeshCentral is a remote monitoring and management (RMM) tool. More information will be added as it becomes available."
+description = "MeshCentral is a remote monitoring and management (RMM) tool. MeshAgent used along with MeshCentral to remotely manage computers. MeshAgent can execute commands on the target host by leveraging win-console to obscure their activities and win-dispatcher to run malicious code through IPC with child processes."
 title = "MeshCentral"
 ---
 
@@ -9,29 +9,42 @@ import {EuiSpacer} from "@elastic/eui"
 
 # MeshCentral
 
-MeshCentral is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.
+MeshCentral is a remote monitoring and management (RMM) tool. MeshAgent used along with MeshCentral to remotely manage computers. MeshAgent can execute commands on the target host by leveraging win-console to obscure their activities and win-dispatcher to run malicious code through IPC with child processes.
+
 
 ### Details
-<Details author={""}
+<Details author={"@kostastsale"}
          category={""}
-         created={""}
-         website={""}
-         lastModified={"2/8/2024"}
-         privileges={""}
-         free={ "" }
-         verification={""}
+         created={"2024-09-20"}
+         website={"https://meshcentral.com/"}
+         lastModified={"2024-09-20"}
+         privileges={"SYSTEM"}
+         free={ "Yes" }
+         verification={"N/A"}
 />
 
 #### Installation Paths
-<Card code={ ["meshcentral*.exe", "mesh*.exe"] }/>
+<Card code={ ["meshcentral*.exe", "meshagent*.exe"] }/>
 
+#### Supported OS
+<Badges color="warning" badges={ ["Windows", "Linux", "MacOS", "FreeBSD"] }/>
 
+#### Capabilities
+<Badges color="#FFA500" badges={ ["Remote Desktop & Terminal", "Remote File Access", "Text and Voice Chat", "Server File Storage", "Real-time User interface", "Port Forwarding"] }/>
 
+#### Known Vulnerabilities
+- [CVE-2024-26135](CVE-2024-26135)
 
 
 ### Forensic Artifacts
 
+#### Disk Artifacts
+<EuiSpacer size="xl"/>
+<DiskArtifacts data={ [{"File": "C:\\Program Files\\Mesh Agent\\MeshAgent.exe", "Description": "Local MeshAgent service binary after installation", "OS": "Windows"}, {"File": "C:\\Program Files\\Mesh Agent\\MeshAgent.msh", "Description": "Local MeshAgent service configuration file. Contains configuration settings including the MeshCentral server address, port, and other settings. If the MeshAgent is run without being installed, the configuration file is created in the same directory as the MeshAgent binary.", "OS": "Windows"}] }/>
 
+#### Event Log Artifacts
+<EuiSpacer size="xl"/>
+<EventLogTable data={ [{"EventID": 7045, "ProviderName": "Service Control Manager", "LogFile": "System.evtx", "ServiceName": "Mesh Agent background service", "ImagePath": "\"C:\\\\Program Files\\\\Mesh Agent\\\\MeshAgent.exe\"", "Description": "Service installation event as result of MeshAgent installation."}] }/>
 
 
 #### Network Artifacts
@@ -46,7 +59,12 @@ MeshCentral is a remote monitoring and management (RMM) tool. More information w
   - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/meshcentral_network_sigma.yml)
 - Detects potential processes activity of MeshCentral RMM tool
   - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/meshcentral_processes_sigma.yml)
+- Detects MeshAgent Command Execution via MeshCentral
+  - [Sigma Rule](https://github.com/tsale/Sigma_rules/blob/main/Threat%20Hunting%20Queries/proc_creation_windows_meshagent.yml)
 
 ### References
 - [https://ylianst.github.io/MeshCentral/meshcentral/](https://ylianst.github.io/MeshCentral/meshcentral/)
+- [https://github.com/Ylianst/MeshAgent](https://github.com/Ylianst/MeshAgent)
 
+### Acknowledgements
+- Kostas (@kostastsale)
diff --git a/website/public/api/rmm_tools.csv b/website/public/api/rmm_tools.csv
@@ -250,7 +250,8 @@ Pocket Controller (Soti Xsight),,Pocket Controller (Soti Xsight) is a remote mon
 GatherPlace-desktop sharing,,GatherPlace-desktop sharing is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,"gp3.exe, gp4.exe, gp5.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.gatherplace.com"", ""*.gatherplace.net"", ""gatherplace.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/gatherplace-desktop_sharing_network_sigma.yml"", ""Description"": ""Detects potential network activity of GatherPlace-desktop sharing RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/gatherplace-desktop_sharing_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of GatherPlace-desktop sharing RMM tool""}]",https://www.gatherplace.com/kb?id=136377,[]
 Electric,,Electric is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""electric.ai""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/electric_network_sigma.yml"", ""Description"": ""Detects potential network activity of Electric RMM tool""}]",,[]
 Site24x7,,Site24x7 is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/13/2024,,,,,,,,,,,,"MEAgentHelper.exe, MonitoringAgent.exe, Site24x7WindowsAgentTrayIcon.exe, Site24x7PluginAgent.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""plus*.site24x7.com"", ""plus*.site24x7.eu"", ""plus*.site24x7.in"", ""plus*.site24x7.cn"", ""plus*.site24x7.net.au"", ""site24x7.com/msp""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/site24x7_network_sigma.yml"", ""Description"": ""Detects potential network activity of Site24x7 RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/site24x7_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Site24x7 RMM tool""}]",https://support.site24x7.com/portal/en/kb/articles/which-ports-do-i-need-to-allow-access-in-my-firewall-to-use-site24x7-agent,[]
-MeshCentral,,MeshCentral is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/8/2024,,,,,,,,,,,,"meshcentral*.exe, mesh*.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed"", ""meshcentral.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/meshcentral_network_sigma.yml"", ""Description"": ""Detects potential network activity of MeshCentral RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/meshcentral_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of MeshCentral RMM tool""}]",https://ylianst.github.io/MeshCentral/meshcentral/,[]
+MeshCentral,,"MeshCentral is a remote monitoring and management (RMM) tool. MeshAgent used along with MeshCentral to remotely manage computers. MeshAgent can execute commands on the target host by leveraging win-console to obscure their activities and win-dispatcher to run malicious code through IPC with child processes.
+",@kostastsale,2024-09-20,2024-09-20,https://meshcentral.com/,MeshAgent.exe,,MeshCentral Background Service Agent,,SYSTEM,Yes,N/A,"Windows, Linux, MacOS, FreeBSD","Remote Desktop & Terminal, Remote File Access, Text and Voice Chat, Server File Storage, Real-time User interface, Port Forwarding",CVE-2024-26135,"meshcentral*.exe, meshagent*.exe","{""Disk"": [{""File"": ""C:\\Program Files\\Mesh Agent\\MeshAgent.exe"", ""Description"": ""Local MeshAgent service binary after installation"", ""OS"": ""Windows""}, {""File"": ""C:\\Program Files\\Mesh Agent\\MeshAgent.msh"", ""Description"": ""Local MeshAgent service configuration file. Contains configuration settings including the MeshCentral server address, port, and other settings. If the MeshAgent is run without being installed, the configuration file is created in the same directory as the MeshAgent binary."", ""OS"": ""Windows""}], ""EventLog"": [{""EventID"": 7045, ""ProviderName"": ""Service Control Manager"", ""LogFile"": ""System.evtx"", ""ServiceName"": ""Mesh Agent background service"", ""ImagePath"": ""\""C:\\\\Program Files\\\\Mesh Agent\\\\MeshAgent.exe\"""", ""Description"": ""Service installation event as result of MeshAgent installation.""}], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed"", ""meshcentral.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/meshcentral_network_sigma.yml"", ""Description"": ""Detects potential network activity of MeshCentral RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/meshcentral_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of MeshCentral RMM tool""}, {""Sigma"": ""https://github.com/tsale/Sigma_rules/blob/main/Threat%20Hunting%20Queries/proc_creation_windows_meshagent.yml"", ""Description"": ""Detects MeshAgent Command Execution via MeshCentral""}]","https://ylianst.github.io/MeshCentral/meshcentral/, https://github.com/Ylianst/MeshAgent","[{""Person"": ""Kostas"", ""Handle"": ""@kostastsale""}]"
 MSP360,,MSP360 is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"Online Backup.exe, CBBackupPlan.exe, Cloud.Backup.Scheduler.exe, Cloud.Backup.RM.Service.exe, cbb.exe, CloudRaService.exe, CloudRaSd.exe, CloudRaCmd.exe, CloudRaUtilities.exe, Remote Desktop.exe, Connect.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.cloudberrylab.com"", ""*.msp360.com"", ""*.mspbackups.com"", ""msp360.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/msp360_network_sigma.yml"", ""Description"": ""Detects potential network activity of MSP360 RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/msp360_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of MSP360 RMM tool""}]",https://kb.msp360.com/managed-backup-service/mbs-tcp-ports-configuration#,[]
 ScreenConnect,,ScreenConnect is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,"Ali Alwashali, Nasreddine Bencherchali",2023-10-01,2024-08-03,https://www.connectwise.com,,,,,,14-Days Free Trial,,"Android, IOS, Linux, Mac, Windows","Command Line Support, File Transfer, Install Windows updates, Receive notification when user performs a predefined event, Remote Command Line, Remote Control, Sound Capture, Start / Stop services, View event logs",,"C:\Program Files (x86)\ScreenConnect Client (Random)\ScreenConnect.ClientService.exe, Remote Workforce Client.exe, *\*\ScreenConnect.ClientService.exe, C:\Program Files (x86)\ScreenConnect Client (<string ID>)\*, *\ScreenConnect Client*\*, *\*\ScreenConnect.WindowsClient.exe, screenconnect*.exe, screenconnect.windowsclient.exe, Remote Workforce Client.exe, screenconnect*.exe, ConnectWiseControl*.exe, connectwise*.exe, screenconnect.windowsclient.exe, screenconnect.clientservice.exe","{""Disk"": [{""File"": ""C:\\Program Files*\\ScreenConnect\\App_Data\\Session.db"", ""Description"": ""ScreenConnect session database"", ""OS"": ""Windows""}, {""File"": ""C:\\Program Files*\\ScreenConnect\\App_Data\\User.xml"", ""Description"": ""ScreenConnect user configuration"", ""OS"": ""Windows""}, {""File"": ""C:\\ProgramData\\ScreenConnect Client*\\user.config"", ""Description"": ""ScreenConnect client user configuration"", ""OS"": ""Windows""}], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""control.connectwise.com"", ""*.connectwise.com"", ""*.screenconnect.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/screenconnect_network_sigma.yml"", ""Description"": ""Detects potential network activity of ScreenConnect RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/screenconnect_files_sigma.yml"", ""Description"": ""Detects potential files activity of ScreenConnect RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/screenconnect_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of ScreenConnect RMM tool""}]",https://thedfirreport.com/2023/09/25/from-screenconnect-to-hive-ransomware-in-61-hours/,[]
 Microsoft TSC,,Microsoft TSC is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/8/2024,,,,,,,,,,,,termsrv.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/microsoft_tsc_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Microsoft TSC RMM tool""}]",https://learn.microsoft.com/en-us/troubleshoot/windows-server/remote/terminal-server-startup-connection-application,[]

diff --git a/website/public/api/rmm_tools.json b/website/public/api/rmm_tools.json
@@ -12978,32 +12978,65 @@
     },
     {
         "Name": "MeshCentral",
-        "Description": "MeshCentral is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.",
-        "Author": "",
-        "Created": "",
-        "LastModified": "2/8/2024",
+        "Description": "MeshCentral is a remote monitoring and management (RMM) tool. MeshAgent used along with MeshCentral to remotely manage computers. MeshAgent can execute commands on the target host by leveraging win-console to obscure their activities and win-dispatcher to run malicious code through IPC with child processes.\n",
+        "Author": "@kostastsale",
+        "Created": "2024-09-20",
+        "LastModified": "2024-09-20",
         "Details": {
-            "Website": "",
+            "Website": "https://meshcentral.com/",
             "PEMetadata": {
-                "Filename": "",
+                "Filename": "MeshAgent.exe",
                 "OriginalFileName": "",
-                "Description": ""
+                "Description": "MeshCentral Background Service Agent"
             },
-            "Privileges": "",
-            "Free": "",
-            "Verification": "",
-            "SupportedOS": [],
-            "Capabilities": [],
-            "Vulnerabilities": [],
+            "Privileges": "SYSTEM",
+            "Free": "Yes",
+            "Verification": "N/A",
+            "SupportedOS": [
+                "Windows",
+                "Linux",
+                "MacOS",
+                "FreeBSD"
+            ],
+            "Capabilities": [
+                "Remote Desktop & Terminal",
+                "Remote File Access",
+                "Text and Voice Chat",
+                "Server File Storage",
+                "Real-time User interface",
+                "Port Forwarding"
+            ],
+            "Vulnerabilities": [
+                "CVE-2024-26135"
+            ],
             "InstallationPaths": [
                 "meshcentral*.exe",
-                "mesh*.exe"
+                "meshagent*.exe"
             ]
         },
         "Artifacts": {
-            "Disk": [],
-            "EventLog": [],
-            "Registry": [],
+            "Disk": [
+                {
+                    "File": "C:\\Program Files\\Mesh Agent\\MeshAgent.exe",
+                    "Description": "Local MeshAgent service binary after installation",
+                    "OS": "Windows"
+                },
+                {
+                    "File": "C:\\Program Files\\Mesh Agent\\MeshAgent.msh",
+                    "Description": "Local MeshAgent service configuration file. Contains configuration settings including the MeshCentral server address, port, and other settings. If the MeshAgent is run without being installed, the configuration file is created in the same directory as the MeshAgent binary.",
+                    "OS": "Windows"
+                }
+            ],
+            "EventLog": [
+                {
+                    "EventID": 7045,
+                    "ProviderName": "Service Control Manager",
+                    "LogFile": "System.evtx",
+                    "ServiceName": "Mesh Agent background service",
+                    "ImagePath": "\"C:\\\\Program Files\\\\Mesh Agent\\\\MeshAgent.exe\"",
+                    "Description": "Service installation event as result of MeshAgent installation."
+                }
+            ],
             "Network": [
                 {
                     "Description": "Known remote domains",
@@ -13023,12 +13056,22 @@
             {
                 "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/meshcentral_processes_sigma.yml",
                 "Description": "Detects potential processes activity of MeshCentral RMM tool"
+            },
+            {
+                "Sigma": "https://github.com/tsale/Sigma_rules/blob/main/Threat%20Hunting%20Queries/proc_creation_windows_meshagent.yml",
+                "Description": "Detects MeshAgent Command Execution via MeshCentral"
             }
         ],
         "References": [
-            "https://ylianst.github.io/MeshCentral/meshcentral/"
+            "https://ylianst.github.io/MeshCentral/meshcentral/",
+            "https://github.com/Ylianst/MeshAgent"
         ],
-        "Acknowledgement": []
+        "Acknowledgement": [
+            {
+                "Person": "Kostas",
+                "Handle": "@kostastsale"
+            }
+        ]
     },
     {
         "Name": "MSP360",

diff --git a/website/public/rmm_tools_table.csv b/website/public/rmm_tools_table.csv
@@ -243,7 +243,7 @@ Name,Category,Description,Author
 [GatherPlace-desktop sharing](/rmm_tools/gatherplace-desktop_sharing),,GatherPlace-desktop sharing is a remote monitoring and management (RMM) tool. More information will ...,
 [Electric](/rmm_tools/electric),,Electric is a remote monitoring and management (RMM) tool. More information will be added as it beco...,
 [Site24x7](/rmm_tools/site24x7),,Site24x7 is a remote monitoring and management (RMM) tool. More information will be added as it beco...,
-[MeshCentral](/rmm_tools/meshcentral),,MeshCentral is a remote monitoring and management (RMM) tool. More information will be added as it b...,
+[MeshCentral](/rmm_tools/meshcentral),,MeshCentral is a remote monitoring and management (RMM) tool. MeshAgent used along with MeshCentral ...,@kostastsale
 [MSP360](/rmm_tools/msp360),,MSP360 is a remote monitoring and management (RMM) tool. More information will be added as it become...,
 [ScreenConnect](/rmm_tools/screenconnect),,ScreenConnect is a remote monitoring and management (RMM) tool. More information will be added as it...,"Ali Alwashali, Nasreddine Bencherchali"
 [Microsoft TSC](/rmm_tools/microsoft_tsc),,Microsoft TSC is a remote monitoring and management (RMM) tool. More information will be added as it...,