Detectionlowtest
Network Connection Initiated To Mega.nz
Detects a network connection initiated by a binary to "api.mega.co.nz". Attackers were seen abusing file sharing websites similar to "mega.nz" in order to upload/download additional payloads.
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Florian Roth (Nextron Systems)Created Mon Dec 06Updated Fri May 31fdeebdf0-9f3f-4d08-84a6-4c4d13e39fe4windows
Log Source
WindowsNetwork Connection
ProductWindows← raw: windows
CategoryNetwork Connection← raw: network_connection
Events for outbound and inbound network connections including DNS resolution.
Detection Logic
Detection Logic1 selector
detection:
selection:
Initiated: 'true'
DestinationHostname|endswith:
- 'mega.co.nz'
- 'mega.nz'
condition: selectionFalse Positives
Legitimate MEGA installers and utilities are expected to communicate with this domain. Exclude hosts that are known to be allowed to use this tool.
MITRE ATT&CK
Tactics
Sub-techniques
Rule Metadata
Rule ID
fdeebdf0-9f3f-4d08-84a6-4c4d13e39fe4
Status
test
Level
low
Type
Detection
Created
Mon Dec 06
Modified
Fri May 31
Path
rules/windows/network_connection/net_connection_win_domain_mega_nz.yml
Raw Tags
attack.exfiltrationattack.t1567.002