Detectionmediumtest

DNS Query To MEGA Hosting Website

Detects DNS queries for subdomains related to MEGA sharing website

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Aaron Greetham - NCC GroupCreated Wed May 26Updated Mon Sep 18613c03ba-0779-4a53-8a1f-47f914a4ded3windows

Log Source

WindowsDNS Query

ProductWindows← raw: windows

CategoryDNS Query← raw: dns_query

DNS lookup events generated by endpoint monitoring tools.

Detection Logic

detection:
    selection:
        QueryName|contains: 'userstorage.mega.co.nz'
    condition: selection

False Positives

Legitimate DNS queries and usage of Mega

References

MITRE ATT&CK

Tactics

Sub-techniques

Related Rules

DNS Query To MEGA Hosting Website - DNS Client

Detects DNS queries for subdomains related to MEGA sharing website

Detects similar activity. Both rules may fire on overlapping events.

Rule Metadata

Rule ID

613c03ba-0779-4a53-8a1f-47f914a4ded3

Status

test

Level

medium

Type

Detection

Created

Wed May 26

Modified

Mon Sep 18

Author

Path

rules/windows/dns_query/dns_query_win_mega_nz.yml

Raw Tags

attack.exfiltrationattack.t1567.002