Detectionhightest

Renamed MegaSync Execution

Detects the execution of a renamed MegaSync.exe as seen used by ransomware families like Nefilim, Sodinokibi, Pysa, and Conti.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Sittikorn SCreated Tue Jun 22Updated Fri Feb 03643bdcac-8b82-49f4-9fd9-25a90b929f3bwindows

Log Source

WindowsProcess Creation

ProductWindows← raw: windows

CategoryProcess Creation← raw: process_creation

Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.

Detection Logic

detection:
    selection:
        OriginalFileName: 'megasync.exe'
    filter:
        Image|endswith: '\megasync.exe'
    condition: selection and not filter

False Positives

Software that illegally integrates MegaSync in a renamed form

Administrators that have renamed MegaSync

References

Resolving title…

redcanary.com

MITRE ATT&CK

Tactics

TA0005 · Defense Evasion

Techniques

T1218 · System Binary Proxy Execution

Rule Metadata

Rule ID

643bdcac-8b82-49f4-9fd9-25a90b929f3b

Status

test

Level

high

Type

Detection

Created

Tue Jun 22

Modified

Fri Feb 03

Author

Sittikorn S

Path

rules/windows/process_creation/proc_creation_win_renamed_megasync.yml

Raw Tags

attack.defense-evasionattack.t1218

View on GitHub