diff --git a/website/pages/tools/meshcentral.mdx b/website/pages/tools/meshcentral.mdx index 0cd9757a..1bb0282b 100644 --- a/website/pages/tools/meshcentral.mdx +++ b/website/pages/tools/meshcentral.mdx @@ -1,5 +1,5 @@ --- -description = "MeshCentral is a remote monitoring and management (RMM) tool. More information will be added as it becomes available." +description = "MeshCentral is a remote monitoring and management (RMM) tool. MeshAgent used along with MeshCentral to remotely manage computers. MeshAgent can execute commands on the target host by leveraging win-console to obscure their activities and win-dispatcher to run malicious code through IPC with child processes." title = "MeshCentral" --- @@ -9,29 +9,42 @@ import {EuiSpacer} from "@elastic/eui" # MeshCentral -MeshCentral is a remote monitoring and management (RMM) tool. More information will be added as it becomes available. +MeshCentral is a remote monitoring and management (RMM) tool. MeshAgent used along with MeshCentral to remotely manage computers. MeshAgent can execute commands on the target host by leveraging win-console to obscure their activities and win-dispatcher to run malicious code through IPC with child processes. + ### Details -
#### Installation Paths - + +#### Supported OS + +#### Capabilities + +#### Known Vulnerabilities +- [CVE-2024-26135](CVE-2024-26135) ### Forensic Artifacts +#### Disk Artifacts + + +#### Event Log Artifacts + + #### Network Artifacts @@ -46,7 +59,12 @@ MeshCentral is a remote monitoring and management (RMM) tool. More information w - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/meshcentral_network_sigma.yml) - Detects potential processes activity of MeshCentral RMM tool - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/meshcentral_processes_sigma.yml) +- Detects MeshAgent Command Execution via MeshCentral + - [Sigma Rule](https://github.com/tsale/Sigma_rules/blob/main/Threat%20Hunting%20Queries/proc_creation_windows_meshagent.yml) ### References - [https://ylianst.github.io/MeshCentral/meshcentral/](https://ylianst.github.io/MeshCentral/meshcentral/) +- [https://github.com/Ylianst/MeshAgent](https://github.com/Ylianst/MeshAgent) +### Acknowledgements +- Kostas (@kostastsale) diff --git a/website/public/api/rmm_tools.csv b/website/public/api/rmm_tools.csv index c3c86874..03f3197f 100644 --- a/website/public/api/rmm_tools.csv +++ b/website/public/api/rmm_tools.csv @@ -250,7 +250,8 @@ Pocket Controller (Soti Xsight),,Pocket Controller (Soti Xsight) is a remote mon GatherPlace-desktop sharing,,GatherPlace-desktop sharing is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,"gp3.exe, gp4.exe, gp5.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.gatherplace.com"", ""*.gatherplace.net"", ""gatherplace.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/gatherplace-desktop_sharing_network_sigma.yml"", ""Description"": ""Detects potential network activity of GatherPlace-desktop sharing RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/gatherplace-desktop_sharing_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of GatherPlace-desktop sharing RMM tool""}]",https://www.gatherplace.com/kb?id=136377,[] Electric,,Electric is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""electric.ai""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/electric_network_sigma.yml"", ""Description"": ""Detects potential network activity of Electric RMM tool""}]",,[] Site24x7,,Site24x7 is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/13/2024,,,,,,,,,,,,"MEAgentHelper.exe, MonitoringAgent.exe, Site24x7WindowsAgentTrayIcon.exe, Site24x7PluginAgent.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""plus*.site24x7.com"", ""plus*.site24x7.eu"", ""plus*.site24x7.in"", ""plus*.site24x7.cn"", ""plus*.site24x7.net.au"", ""site24x7.com/msp""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/site24x7_network_sigma.yml"", ""Description"": ""Detects potential network activity of Site24x7 RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/site24x7_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Site24x7 RMM tool""}]",https://support.site24x7.com/portal/en/kb/articles/which-ports-do-i-need-to-allow-access-in-my-firewall-to-use-site24x7-agent,[] -MeshCentral,,MeshCentral is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/8/2024,,,,,,,,,,,,"meshcentral*.exe, mesh*.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed"", ""meshcentral.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/meshcentral_network_sigma.yml"", ""Description"": ""Detects potential network activity of MeshCentral RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/meshcentral_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of MeshCentral RMM tool""}]",https://ylianst.github.io/MeshCentral/meshcentral/,[] +MeshCentral,,"MeshCentral is a remote monitoring and management (RMM) tool. MeshAgent used along with MeshCentral to remotely manage computers. MeshAgent can execute commands on the target host by leveraging win-console to obscure their activities and win-dispatcher to run malicious code through IPC with child processes. +",@kostastsale,2024-09-20,2024-09-20,https://meshcentral.com/,MeshAgent.exe,,MeshCentral Background Service Agent,,SYSTEM,Yes,N/A,"Windows, Linux, MacOS, FreeBSD","Remote Desktop & Terminal, Remote File Access, Text and Voice Chat, Server File Storage, Real-time User interface, Port Forwarding",CVE-2024-26135,"meshcentral*.exe, meshagent*.exe","{""Disk"": [{""File"": ""C:\\Program Files\\Mesh Agent\\MeshAgent.exe"", ""Description"": ""Local MeshAgent service binary after installation"", ""OS"": ""Windows""}, {""File"": ""C:\\Program Files\\Mesh Agent\\MeshAgent.msh"", ""Description"": ""Local MeshAgent service configuration file. Contains configuration settings including the MeshCentral server address, port, and other settings. If the MeshAgent is run without being installed, the configuration file is created in the same directory as the MeshAgent binary."", ""OS"": ""Windows""}], ""EventLog"": [{""EventID"": 7045, ""ProviderName"": ""Service Control Manager"", ""LogFile"": ""System.evtx"", ""ServiceName"": ""Mesh Agent background service"", ""ImagePath"": ""\""C:\\\\Program Files\\\\Mesh Agent\\\\MeshAgent.exe\"""", ""Description"": ""Service installation event as result of MeshAgent installation.""}], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed"", ""meshcentral.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/meshcentral_network_sigma.yml"", ""Description"": ""Detects potential network activity of MeshCentral RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/meshcentral_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of MeshCentral RMM tool""}, {""Sigma"": ""https://github.com/tsale/Sigma_rules/blob/main/Threat%20Hunting%20Queries/proc_creation_windows_meshagent.yml"", ""Description"": ""Detects MeshAgent Command Execution via MeshCentral""}]","https://ylianst.github.io/MeshCentral/meshcentral/, https://github.com/Ylianst/MeshAgent","[{""Person"": ""Kostas"", ""Handle"": ""@kostastsale""}]" MSP360,,MSP360 is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"Online Backup.exe, CBBackupPlan.exe, Cloud.Backup.Scheduler.exe, Cloud.Backup.RM.Service.exe, cbb.exe, CloudRaService.exe, CloudRaSd.exe, CloudRaCmd.exe, CloudRaUtilities.exe, Remote Desktop.exe, Connect.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.cloudberrylab.com"", ""*.msp360.com"", ""*.mspbackups.com"", ""msp360.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/msp360_network_sigma.yml"", ""Description"": ""Detects potential network activity of MSP360 RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/msp360_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of MSP360 RMM tool""}]",https://kb.msp360.com/managed-backup-service/mbs-tcp-ports-configuration#,[] ScreenConnect,,ScreenConnect is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,"Ali Alwashali, Nasreddine Bencherchali",2023-10-01,2024-08-03,https://www.connectwise.com,,,,,,14-Days Free Trial,,"Android, IOS, Linux, Mac, Windows","Command Line Support, File Transfer, Install Windows updates, Receive notification when user performs a predefined event, Remote Command Line, Remote Control, Sound Capture, Start / Stop services, View event logs",,"C:\Program Files (x86)\ScreenConnect Client (Random)\ScreenConnect.ClientService.exe, Remote Workforce Client.exe, *\*\ScreenConnect.ClientService.exe, C:\Program Files (x86)\ScreenConnect Client ()\*, *\ScreenConnect Client*\*, *\*\ScreenConnect.WindowsClient.exe, screenconnect*.exe, screenconnect.windowsclient.exe, Remote Workforce Client.exe, screenconnect*.exe, ConnectWiseControl*.exe, connectwise*.exe, screenconnect.windowsclient.exe, screenconnect.clientservice.exe","{""Disk"": [{""File"": ""C:\\Program Files*\\ScreenConnect\\App_Data\\Session.db"", ""Description"": ""ScreenConnect session database"", ""OS"": ""Windows""}, {""File"": ""C:\\Program Files*\\ScreenConnect\\App_Data\\User.xml"", ""Description"": ""ScreenConnect user configuration"", ""OS"": ""Windows""}, {""File"": ""C:\\ProgramData\\ScreenConnect Client*\\user.config"", ""Description"": ""ScreenConnect client user configuration"", ""OS"": ""Windows""}], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""control.connectwise.com"", ""*.connectwise.com"", ""*.screenconnect.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/screenconnect_network_sigma.yml"", ""Description"": ""Detects potential network activity of ScreenConnect RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/screenconnect_files_sigma.yml"", ""Description"": ""Detects potential files activity of ScreenConnect RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/screenconnect_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of ScreenConnect RMM tool""}]",https://thedfirreport.com/2023/09/25/from-screenconnect-to-hive-ransomware-in-61-hours/,[] Microsoft TSC,,Microsoft TSC is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/8/2024,,,,,,,,,,,,termsrv.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/microsoft_tsc_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Microsoft TSC RMM tool""}]",https://learn.microsoft.com/en-us/troubleshoot/windows-server/remote/terminal-server-startup-connection-application,[] diff --git a/website/public/api/rmm_tools.json b/website/public/api/rmm_tools.json index c033b16b..3c67c53f 100644 --- a/website/public/api/rmm_tools.json +++ b/website/public/api/rmm_tools.json @@ -12978,32 +12978,65 @@ }, { "Name": "MeshCentral", - "Description": "MeshCentral is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", - "Author": "", - "Created": "", - "LastModified": "2/8/2024", + "Description": "MeshCentral is a remote monitoring and management (RMM) tool. MeshAgent used along with MeshCentral to remotely manage computers. MeshAgent can execute commands on the target host by leveraging win-console to obscure their activities and win-dispatcher to run malicious code through IPC with child processes.\n", + "Author": "@kostastsale", + "Created": "2024-09-20", + "LastModified": "2024-09-20", "Details": { - "Website": "", + "Website": "https://meshcentral.com/", "PEMetadata": { - "Filename": "", + "Filename": "MeshAgent.exe", "OriginalFileName": "", - "Description": "" + "Description": "MeshCentral Background Service Agent" }, - "Privileges": "", - "Free": "", - "Verification": "", - "SupportedOS": [], - "Capabilities": [], - "Vulnerabilities": [], + "Privileges": "SYSTEM", + "Free": "Yes", + "Verification": "N/A", + "SupportedOS": [ + "Windows", + "Linux", + "MacOS", + "FreeBSD" + ], + "Capabilities": [ + "Remote Desktop & Terminal", + "Remote File Access", + "Text and Voice Chat", + "Server File Storage", + "Real-time User interface", + "Port Forwarding" + ], + "Vulnerabilities": [ + "CVE-2024-26135" + ], "InstallationPaths": [ "meshcentral*.exe", - "mesh*.exe" + "meshagent*.exe" ] }, "Artifacts": { - "Disk": [], - "EventLog": [], - "Registry": [], + "Disk": [ + { + "File": "C:\\Program Files\\Mesh Agent\\MeshAgent.exe", + "Description": "Local MeshAgent service binary after installation", + "OS": "Windows" + }, + { + "File": "C:\\Program Files\\Mesh Agent\\MeshAgent.msh", + "Description": "Local MeshAgent service configuration file. Contains configuration settings including the MeshCentral server address, port, and other settings. If the MeshAgent is run without being installed, the configuration file is created in the same directory as the MeshAgent binary.", + "OS": "Windows" + } + ], + "EventLog": [ + { + "EventID": 7045, + "ProviderName": "Service Control Manager", + "LogFile": "System.evtx", + "ServiceName": "Mesh Agent background service", + "ImagePath": "\"C:\\\\Program Files\\\\Mesh Agent\\\\MeshAgent.exe\"", + "Description": "Service installation event as result of MeshAgent installation." + } + ], "Network": [ { "Description": "Known remote domains", @@ -13023,12 +13056,22 @@ { "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/meshcentral_processes_sigma.yml", "Description": "Detects potential processes activity of MeshCentral RMM tool" + }, + { + "Sigma": "https://github.com/tsale/Sigma_rules/blob/main/Threat%20Hunting%20Queries/proc_creation_windows_meshagent.yml", + "Description": "Detects MeshAgent Command Execution via MeshCentral" } ], "References": [ - "https://ylianst.github.io/MeshCentral/meshcentral/" + "https://ylianst.github.io/MeshCentral/meshcentral/", + "https://github.com/Ylianst/MeshAgent" ], - "Acknowledgement": [] + "Acknowledgement": [ + { + "Person": "Kostas", + "Handle": "@kostastsale" + } + ] }, { "Name": "MSP360", diff --git a/website/public/rmm_tools_table.csv b/website/public/rmm_tools_table.csv index f2f184ae..b19481be 100644 --- a/website/public/rmm_tools_table.csv +++ b/website/public/rmm_tools_table.csv @@ -243,7 +243,7 @@ Name,Category,Description,Author [GatherPlace-desktop sharing](/rmm_tools/gatherplace-desktop_sharing),,GatherPlace-desktop sharing is a remote monitoring and management (RMM) tool. More information will ..., [Electric](/rmm_tools/electric),,Electric is a remote monitoring and management (RMM) tool. More information will be added as it beco..., [Site24x7](/rmm_tools/site24x7),,Site24x7 is a remote monitoring and management (RMM) tool. More information will be added as it beco..., -[MeshCentral](/rmm_tools/meshcentral),,MeshCentral is a remote monitoring and management (RMM) tool. More information will be added as it b..., +[MeshCentral](/rmm_tools/meshcentral),,MeshCentral is a remote monitoring and management (RMM) tool. MeshAgent used along with MeshCentral ...,@kostastsale [MSP360](/rmm_tools/msp360),,MSP360 is a remote monitoring and management (RMM) tool. More information will be added as it become..., [ScreenConnect](/rmm_tools/screenconnect),,ScreenConnect is a remote monitoring and management (RMM) tool. More information will be added as it...,"Ali Alwashali, Nasreddine Bencherchali" [Microsoft TSC](/rmm_tools/microsoft_tsc),,Microsoft TSC is a remote monitoring and management (RMM) tool. More information will be added as it...,