CSEC_PUBLIC/hayabusa
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
Files
5da0f5e322de5996e616563f73d6da3be4e10bc3
hayabusa/rules/sigma/process_creation/win_renamed_megasync.yml
itiB 83d891b2fa Feature/rm submodule (#312) 
* rm: submodule

* Add: rules

* Fix: hayabusa-rules to c9c10a
2021-12-20 21:14:32 +09:00

36 lines
972 B
YAML
Raw Blame History

title: Renamed MegaSync
ruletype: Sigma
author: Sittikorn S
date: 2021/06/22
description: Detects the execution of a renamed meg.exe of MegaSync during incident
response engagements associated with ransomware families like Nefilim, Sodinokibi,
Pysa, and Conti.
detection:
SELECTION_1:
EventID: 1
SELECTION_2:
ParentImage: '*\explorer.exe'
SELECTION_3:
CommandLine: '*C:\Windows\Temp\meg.exe*'
SELECTION_4:
OriginalFileName: meg.exe
SELECTION_5:
Image: '*\meg.exe'
condition: (SELECTION_1 and ((SELECTION_2 and SELECTION_3) or (SELECTION_4 and not
(SELECTION_5))))
falsepositives:
- Software that illegaly integrates MegaSync in a renamed form
- Administrators that have renamed MegaSync
id: 643bdcac-8b82-49f4-9fd9-25a90b929f3b
level: high
logsource:
category: process_creation
product: windows
references:
- https://redcanary.com/blog/rclone-mega-extortion/
status: experimental
tags:
- attack.defense_evasion
- attack.t1218
Reference in New Issue View Git Blame Copy Permalink