legitimate mega installers and utilities are expected to communicate with this domain. exclude hosts that are known to be allowed to use this tool.

t1567
t1567.001
windows
sigma

Techniques

t1567
t1567.001

Sample rules

Network Connection Initiated To Mega.nz

source: sigma
technicques:
- t1567
- t1567.001

Description

Detects a network connection initiated by a binary to “api.mega.co.nz”. Attackers were seen abusing file sharing websites similar to “mega.nz” in order to upload/download additional payloads.

Detection logic

condition: selection
selection:
  DestinationHostname|endswith:
  - mega.co.nz
  - mega.nz
  Initiated: 'true'