Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
title: DNS Query for MEGA.io Upload Domain
description: Detects DNS queries for subdomains used for upload to MEGA.io
status: experimental
date: 2021/05/26
author: Aaron Greetham (@beardofbinary) - NCC Group
references:
- https://research.nccgroup.com/2021/05/27/detecting-rclone-an-effective-tool-for-exfiltration/
tags:
- attack.exfiltration
- attack.t1567.002
falsepositives:
- Legitimate Mega upload
level: high
logsource:
product: windows
service: sysmon
detection:
dns_request:
EventID: 22
QueryName|contains: userstorage.mega.co.nz
condition: dns_request
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment