LoFP / legitimate dns queries and usage of mega

Techniques

• t1567
• t1567.002

Sample rules

DNS Query To MEGA Hosting Website

• source: sigma
• technicques:
  • t1567
  • t1567.002

Description

Detects DNS queries for subdomains related to MEGA sharing website

Detection logic

condition: selection
selection:
  QueryName|contains: userstorage.mega.co.nz

DNS Query To MEGA Hosting Website - DNS Client

• source: sigma
• technicques:
  • t1567
  • t1567.002

Description

Detects DNS queries for subdomains related to MEGA sharing website

Detection logic

condition: selection
selection:
  EventID: 3008
  QueryName|contains: userstorage.mega.co.nz