administrators that have renamed megasync

source: <a href=https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_renamed_megasync.yml>sigma
technicques: t1218

Techniques

Detects the execution of a renamed MegaSync.exe as seen used by ransomware families like Nefilim, Sodinokibi, Pysa, and Conti.

condition: selection and not filter
filter:
  Image|endswith: \megasync.exe
selection:
  OriginalFileName: megasync.exe