Listen to this Post

In a recent incident response case, a cleverly hidden backdoor was discovered masquerading as a Microsoft Edge service. The malicious agent was running under the path:
C:\Program Files\Microsoft\MicrosoftEdge\msedge.exe
The giveaway was the suspicious argument:
--meshServiceName="MicrosoftEdge"
This technique highlights how attackers abuse legitimate-looking paths to evade detection. The backdoor was linked to MeshCentral, a remote administration tool often weaponized by threat actors.
You Should Know:
Detection & Analysis (Windows)
1. Check Suspicious Services:
Get-WmiObject Win32_Service | Where-Object { $_.PathName -like "MicrosoftEdge" } | Select Name, DisplayName, PathName, State
2. Process Inspection:
tasklist /svc | findstr "msedge.exe" wmic process where "name='msedge.exe'" get commandline
3. Hunt for MeshCentral Artifacts:
Get-ChildItem -Path "C:\Program Files\", "C:\ProgramData\" -Recurse -Force -Include "Mesh" -ErrorAction SilentlyContinue
Remediation Steps
- Terminate Malicious Process:
taskkill /F /IM msedge.exe /T
-
Remove Persistence:
sc.exe delete "MicrosoftEdge"
-
Forensic Analysis (Memory & Disk):
strings.exe -accepteula %MEMDUMP%.raw | findstr "MeshCentral"
Linux Detection (If Lateral Movement Suspected)
ps aux | grep -i "edge|mesh" lsof -i | grep -E "(mesh|edge)" netstat -tulnp | grep -E "(444|443|80)"
Preventive Measures
- Enable Command-Line Auditing:
AuditPol /set /category:"Process Creation" /success:enable /failure:enable
-
Deploy EDR/XDR Solutions for real-time process monitoring.
- Restrict Unusual Service Installations via GPO or endpoint hardening.
What Undercode Say
Attackers increasingly abuse legitimate software paths to bypass defenses. Continuous network-wide visibility and behavioral analysis are critical. MeshCentral’s misuse underscores the need for baseline process monitoring and strict execution policies.
Expected Output:
[/bash]
SERVICE_NAME: MicrosoftEdge
DISPLAY_NAME: Microsoft Edge Update Service
PATH_NAME: “C:\Program Files\Microsoft\MicrosoftEdge\msedge.exe” –meshServiceName=”MicrosoftEdge”
STATE: Running
[bash]
Prediction
Future attacks will leverage more signed binaries and cloud-based C2 (e.g., AWS Lambda) to evade traditional detection.
[bash] MeshCentral Backdoor Analysis
References:
Reported By: Stephan Berger – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅


