detection.fyi
Open in
urlscan Pro
2606:50c0:8000::153
Public Scan
Submitted URL: https://detection.fyi/sigmahq/sigma/id/fdeebdf0-9f3f-4d08-84a6-4c4d13e39fe4
Effective URL: https://detection.fyi/sigmahq/sigma/windows/network_connection/net_connection_win_mega_nz/
Submission: On February 09 via manual from GB — Scanned from GB
Effective URL: https://detection.fyi/sigmahq/sigma/windows/network_connection/net_connection_win_mega_nz/
Submission: On February 09 via manual from GB — Scanned from GB
Form analysis 0 forms found in the DOM
Text Content
open-menucloseme COMMUNICATION TO MEGA.NZ calendarDec 27, 2022 · attack.exfiltration attack.t1567.001 · Share on: twitterfacebooklinkedincopy Detects an executable accessing mega.co.nz, which could be a sign of forbidden file sharing use of data exfiltration by malicious actors SIGMA RULE (VIEW ON GITHUB) 1title: Communication To Mega.nz 2id: fdeebdf0-9f3f-4d08-84a6-4c4d13e39fe4 3status: test 4description: Detects an executable accessing mega.co.nz, which could be a sign of forbidden file sharing use of data exfiltration by malicious actors 5references: 6 - https://megatools.megous.com/ 7 - https://www.mandiant.com/resources/russian-targeting-gov-business 8author: Florian Roth 9date: 2021/12/06 10modified: 2022/12/25 11tags: 12 - attack.exfiltration 13 - attack.t1567.001 14logsource: 15 category: network_connection 16 product: windows 17detection: 18 selection: 19 Initiated: 'true' 20 DestinationHostname|endswith: 'api.mega.co.nz' 21 condition: selection 22falsepositives: 23 - Legitimate use of mega.nz uploaders and tools 24level: high yaml RELATED RULES * Communication To Ngrok.Io * Microsoft Binary Github Communication * Tap Driver Installation * Copy from Admin Share * Tap Driver Installation - Security search RECENT POSTS * Code Executed Via Office Add-in XLL File * Create Volume Shadow Copy with Powershell * Creation Exe for Service with Unquoted Path * Cscript Visual Basic Script Execution * Delete Log from Application * DevInit Lolbin Download * Disable System Firewall * Download a File with IMEWDBLD.exe TAGS ATTACK.DEFENSE_EVASION 938 ATTACK.EXECUTION 544 ATTACK.PERSISTENCE 376 ATTACK.PRIVILEGE_ESCALATION 283 ATTACK.CREDENTIAL_ACCESS 245 ATTACK.DISCOVERY 191 ATTACK.T1059.001 186 ATTACK.COMMAND_AND_CONTROL 172 ATTACK.INITIAL_ACCESS 138 ATTACK.IMPACT 127 ATTACK.LATERAL_MOVEMENT 123 ATTACK.T1218 101 ATTACK.T1027 84 ATTACK.T1190 81 All Tags ATTACK-SURFACE-REDUCTION6 ATTACK.COLLECTION64 ATTACK.COMMAND_AND_CONTROL172 ATTACK.CREDENTIAL_ACCESS245 ATTACK.DEFENSE_EVASION938 ATTACK.DISCOVERY191 ATTACK.DOMAIN_TRUST_DISCOVERY1 ATTACK.EXECUTION544 ATTACK.EXFILTRATION69 ATTACK.G00011 ATTACK.G00041 ATTACK.G00072 ATTACK.G00091 ATTACK.G00108 ATTACK.G00161 ATTACK.G00203 ATTACK.G00221 ATTACK.G00301 ATTACK.G00324 ATTACK.G00352 ATTACK.G00441 ATTACK.G00452 ATTACK.G00462 ATTACK.G00471 ATTACK.G00496 ATTACK.G00501 ATTACK.G00601 ATTACK.G00641 ATTACK.G00695 ATTACK.G00751 ATTACK.G00801 ATTACK.G00911 ATTACK.G00921 ATTACK.G00961 ATTACK.G01151 ATTACK.HIDDEN.USERS1 ATTACK.IMPACT127 ATTACK.INITIAL_ACCESS138 ATTACK.LATERAL_MOVEMENT123 ATTACK.PERSISTENCE376 ATTACK.PRIVILEGE_ESCALATION283 ATTACK.PROTOCOL_TUNNELING1 ATTACK.QBOT2 ATTACK.RECONNAISSANCE14 ATTACK.REMOTE_SYSTEM_DISCOVERY1 ATTACK.RESOURCE_DEVELOPMENT29 ATTACK.S000212 ATTACK.S00031 ATTACK.S00057 ATTACK.S00131 ATTACK.S002912 ATTACK.S00392 ATTACK.S00401 ATTACK.S00811 ATTACK.S01061 ATTACK.S01082 ATTACK.S01118 ATTACK.S01394 ATTACK.S01541 ATTACK.S01601 ATTACK.S01909 ATTACK.S01951 ATTACK.S03491 ATTACK.S03632 ATTACK.S04021 ATTACK.S04041 ATTACK.S04121 ATTACK.S04821 ATTACK.S05082 ATTACK.S05521 ATTACK.S05751 ATTACK.S05921 ATTACK.S06502 ATTACK.T1001.0033 ATTACK.T100323 ATTACK.T1003.00176 ATTACK.T1003.00229 ATTACK.T1003.00318 ATTACK.T1003.00413 ATTACK.T1003.0059 ATTACK.T1003.0069 ATTACK.T10059 ATTACK.T10061 ATTACK.T10073 ATTACK.T10082 ATTACK.T10101 ATTACK.T101210 ATTACK.T10141 ATTACK.T10169 ATTACK.T101816 ATTACK.T10205 ATTACK.T10213 ATTACK.T1021.00115 ATTACK.T1021.00232 ATTACK.T1021.0039 ATTACK.T1021.0041 ATTACK.T1021.0051 ATTACK.T1021.0069 ATTACK.T102784 ATTACK.T1027.0013 ATTACK.T1027.0021 ATTACK.T1027.0035 ATTACK.T1027.0045 ATTACK.T1027.0054 ATTACK.T1027.0092 ATTACK.T10302 ATTACK.T103324 ATTACK.T103628 ATTACK.T1036.00319 ATTACK.T1036.0042 ATTACK.T1036.0059 ATTACK.T1036.0061 ATTACK.T1036.0073 ATTACK.T1037.0012 ATTACK.T1037.0051 ATTACK.T10392 ATTACK.T10408 ATTACK.T10413 ATTACK.T104611 ATTACK.T104739 ATTACK.T10487 ATTACK.T1048.0011 ATTACK.T1048.00314 ATTACK.T10498 ATTACK.T105311 ATTACK.T1053.0028 ATTACK.T1053.0037 ATTACK.T1053.00539 ATTACK.T105524 ATTACK.T1055.0018 ATTACK.T1055.0032 ATTACK.T1055.0122 ATTACK.T1056.0013 ATTACK.T1056.0023 ATTACK.T10574 ATTACK.T105955 ATTACK.T1059.001186 ATTACK.T1059.0022 ATTACK.T1059.00323 ATTACK.T1059.0048 ATTACK.T1059.00518 ATTACK.T1059.0063 ATTACK.T1059.00713 ATTACK.T106824 ATTACK.T10693 ATTACK.T1069.00116 ATTACK.T1069.00213 ATTACK.T107013 ATTACK.T1070.0018 ATTACK.T1070.0023 ATTACK.T1070.0035 ATTACK.T1070.00412 ATTACK.T1070.0053 ATTACK.T1070.0065 ATTACK.T10716 ATTACK.T1071.00130 ATTACK.T1071.00418 ATTACK.T10724 ATTACK.T10742 ATTACK.T1074.0014 ATTACK.T107840 ATTACK.T1078.0011 ATTACK.T1078.0021 ATTACK.T1078.0031 ATTACK.T1078.00411 ATTACK.T108214 ATTACK.T108316 ATTACK.T108715 ATTACK.T1087.00113 ATTACK.T1087.00218 ATTACK.T1087.0041 ATTACK.T109012 ATTACK.T1090.0013 ATTACK.T1090.0021 ATTACK.T1090.0033 ATTACK.T10911 ATTACK.T10953 ATTACK.T109821 ATTACK.T1098.0011 ATTACK.T1098.0034 ATTACK.T11001 ATTACK.T11023 ATTACK.T1102.0013 ATTACK.T1102.0022 ATTACK.T1102.0032 ATTACK.T11041 ATTACK.T110548 ATTACK.T110612 ATTACK.T111014 ATTACK.T1110.0013 ATTACK.T1110.0021 ATTACK.T1110.0038 ATTACK.T111268 ATTACK.T11136 ATTACK.T11144 ATTACK.T1114.0011 ATTACK.T11156 ATTACK.T11195 ATTACK.T11202 ATTACK.T11236 ATTACK.T11244 ATTACK.T11251 ATTACK.T112717 ATTACK.T1127.0011 ATTACK.T1132.0011 ATTACK.T113310 ATTACK.T1134.0017 ATTACK.T1134.0024 ATTACK.T1134.0032 ATTACK.T1134.0041 ATTACK.T1134.0051 ATTACK.T113510 ATTACK.T11362 ATTACK.T1136.00114 ATTACK.T1136.0023 ATTACK.T1136.0032 ATTACK.T11376 ATTACK.T1137.0021 ATTACK.T1137.0031 ATTACK.T1137.0064 ATTACK.T114013 ATTACK.T11761 ATTACK.T11852 ATTACK.T11873 ATTACK.T11892 ATTACK.T119081 ATTACK.T11951 ATTACK.T1195.0011 ATTACK.T119716 ATTACK.T11991 ATTACK.T12002 ATTACK.T12014 ATTACK.T120227 ATTACK.T120321 ATTACK.T12048 ATTACK.T1204.0012 ATTACK.T1204.00226 ATTACK.T12071 ATTACK.T12109 ATTACK.T12113 ATTACK.T12127 ATTACK.T1213.0032 ATTACK.T121617 ATTACK.T1216.0012 ATTACK.T12173 ATTACK.T1218101 ATTACK.T1218.0015 ATTACK.T1218.0021 ATTACK.T1218.0037 ATTACK.T1218.0059 ATTACK.T1218.0079 ATTACK.T1218.0091 ATTACK.T1218.01016 ATTACK.T1218.01132 ATTACK.T1218.0132 ATTACK.T121931 ATTACK.T12203 ATTACK.T12211 ATTACK.T1222.0014 ATTACK.T1222.0024 ATTACK.T148216 ATTACK.T14842 ATTACK.T1484.0012 ATTACK.T148511 ATTACK.T148610 ATTACK.T14899 ATTACK.T149017 ATTACK.T1491.0012 ATTACK.T14951 ATTACK.T14964 ATTACK.T1497.0011 ATTACK.T14991 ATTACK.T1499.0011 ATTACK.T1499.0043 ATTACK.T15051 ATTACK.T1505.0011 ATTACK.T1505.0023 ATTACK.T1505.00328 ATTACK.T1505.0051 ATTACK.T15182 ATTACK.T1518.0014 ATTACK.T15251 ATTACK.T15262 ATTACK.T152810 ATTACK.T15296 ATTACK.T15317 ATTACK.T15374 ATTACK.T15392 ATTACK.T1542.0012 ATTACK.T1542.0031 ATTACK.T15439 ATTACK.T1543.0022 ATTACK.T1543.00341 ATTACK.T15469 ATTACK.T1546.0013 ATTACK.T1546.0024 ATTACK.T1546.00313 ATTACK.T1546.0041 ATTACK.T1546.0072 ATTACK.T1546.0087 ATTACK.T1546.0092 ATTACK.T1546.0101 ATTACK.T1546.0112 ATTACK.T1546.0122 ATTACK.T1546.0133 ATTACK.T1546.0141 ATTACK.T1546.0159 ATTACK.T15476 ATTACK.T1547.00130 ATTACK.T1547.0021 ATTACK.T1547.0031 ATTACK.T1547.0043 ATTACK.T1547.0051 ATTACK.T1547.0061 ATTACK.T1547.0081 ATTACK.T1547.0094 ATTACK.T1547.0104 ATTACK.T1547.0141 ATTACK.T154816 ATTACK.T1548.0012 ATTACK.T1548.00248 ATTACK.T1548.0032 ATTACK.T15503 ATTACK.T1550.0013 ATTACK.T1550.0025 ATTACK.T1550.0033 ATTACK.T15525 ATTACK.T1552.00114 ATTACK.T1552.0023 ATTACK.T1552.0033 ATTACK.T1552.0045 ATTACK.T1552.0064 ATTACK.T1552.0072 ATTACK.T15532 ATTACK.T1553.0011 ATTACK.T1553.0021 ATTACK.T1553.0031 ATTACK.T1553.0046 ATTACK.T1553.0053 ATTACK.T15543 ATTACK.T15555 ATTACK.T1555.0011 ATTACK.T1555.0034 ATTACK.T1555.0044 ATTACK.T1555.0051 ATTACK.T15563 ATTACK.T1556.0023 ATTACK.T1556.0061 ATTACK.T15575 ATTACK.T1557.0017 ATTACK.T15583 ATTACK.T1558.00311 ATTACK.T15591 ATTACK.T1559.0014 ATTACK.T1559.0021 ATTACK.T15602 ATTACK.T1560.00112 ATTACK.T1561.0011 ATTACK.T1561.0021 ATTACK.T156217 ATTACK.T1562.00180 ATTACK.T1562.00216 ATTACK.T1562.00415 ATTACK.T1562.0064 ATTACK.T1562.0071 ATTACK.T1562.0101 ATTACK.T1563.0022 ATTACK.T15646 ATTACK.T1564.0018 ATTACK.T1564.0025 ATTACK.T1564.0032 ATTACK.T1564.00420 ATTACK.T1564.0062 ATTACK.T15653 ATTACK.T1565.0015 ATTACK.T1565.0021 ATTACK.T15669 ATTACK.T1566.00115 ATTACK.T1566.0021 ATTACK.T15677 ATTACK.T1567.0013 ATTACK.T1567.00211 ATTACK.T15681 ATTACK.T1568.0022 ATTACK.T15694 ATTACK.T1569.00242 ATTACK.T15705 ATTACK.T15713 ATTACK.T157213 ATTACK.T15734 ATTACK.T15748 ATTACK.T1574.00124 ATTACK.T1574.00242 ATTACK.T1574.0051 ATTACK.T1574.0062 ATTACK.T1574.0071 ATTACK.T1574.0081 ATTACK.T1574.0119 ATTACK.T1574.0122 ATTACK.T15781 ATTACK.T1578.0031 ATTACK.T15802 ATTACK.T1583.0061 ATTACK.T15842 ATTACK.T15875 ATTACK.T1587.00110 ATTACK.T15882 ATTACK.T1588.0011 ATTACK.T1588.0027 ATTACK.T15891 ATTACK.T15902 ATTACK.T15921 ATTACK.T1592.0043 ATTACK.T1593.0032 ATTACK.T1595.0021 ATTACK.T1599.0011 ATTACK.T16081 ATTACK.T1614.0012 ATTACK.T16154 ATTACK.T16191 ATTACK.T16201 ATTACK.T567.0021 ATTACK.TT14821 BRAND-IMPERSONATION35 CAR.2013-01-0021 CAR.2013-02-0031 CAR.2013-03-0011 CAR.2013-04-0021 CAR.2013-05-0022 CAR.2013-05-0042 CAR.2013-05-0095 CAR.2013-07-0013 CAR.2013-07-0029 CAR.2013-08-0014 CAR.2013-09-0054 CAR.2013-10-0021 CAR.2014-04-0031 CAR.2014-11-0032 CAR.2014-11-0082 CAR.2015-04-0012 CAR.2016-03-0017 CAR.2016-03-0021 CAR.2016-04-0027 CAR.2016-04-0051 CAR.2019-04-0018 CAR.2019-04-0021 CAR.2019-04-0031 CAR.2019-04-0043 CONTACT-IMPERSONATION1 CREDENTIAL-PHISHING3 CRYPTOCURRENCY4 CUSTOMER-SERVICE-FRAUD2 CVE-2021-404441 CVE-2022-301901 CVE.2014.62871 CVE.2018.28941 CVE.2019.13781 CVE.2019.142872 CVE.2020.101891 CVE.2020.148821 CVE.2020.15991 CVE.2020.281881 CVE.2020.34521 CVE.2021.16759 CVE.2021.16781 CVE.2021.200901 CVE.2021.200911 CVE.2021.21091 CVE.2021.215513 CVE.2021.219782 CVE.2021.260841 CVE.2021.268141 CVE.2021.268571 CVE.2021.268581 CVE.2021.279051 CVE.2021.31562 CVE.2021.319792 CVE.2021.337712 CVE.2021.345274 CVE.2021.352112 CVE.2021.369341 CVE.2021.422781 CVE.2021.422871 CVE.2021.440771 CVE.2022.245271 CVE.2022.261342 CVE.2022.279251 CVE.2022.290721 CVE.2022.301902 CVE.2022.338912 CVE.2022.368041 CVE.2022.411201 CVE.2022.448771 CVE.2022.461691 DLP1 DOCUSIGN1 EICAR1 EMPLOYEE-IMPERSONATION1 ENCRYPTED-ATTACHMENT1 EXECUTIVE-IMPERSONATION2 FILE-SHARING-LINK2 FREE-SUBDOMAIN1 GOOGLE-FORMS1 HTML-SMUGGLING20 INVOICE-FRAUD2 LEDGER1 LOOKALIKE-DOMAIN2 MACHINE-LEARNING4 MACROS8 MALWARE8 OFFICE-EXPLOIT2 OPEN-REDIRECT3 PHP-MAILER1 PUNYCODE1 QAKBOT4 RECEIPT-FRAUD2 RECON1 SPAM2 SUSPICIOUS-ATTACHMENT49 SUSPICIOUS-CONTENT3 SUSPICIOUS-HEADERS4 SUSPICIOUS-LINK23 SUSPICIOUS-RECIPIENT1 SUSPICIOUS-SENDER33 SUSPICIOUS-SUBJECT3 T10121 T1059.0011 UNSOLICITED1 URL-SHORTENER2 VIP-IMPERSONATION1 [A~Z][0~9] to-top