CSEC_PUBLIC/hayabusa
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
Files
f71d5848fee4ffb52c83f10fbf204b3aa5e2bb1b
hayabusa/rules/Sigma/dns_query_mega_nz.yml
Tanaka Zakku 50aebce32e Added Sigma Rules
2021-11-14 11:00:56 +09:00

27 lines
783 B
YAML
Raw Blame History

title: DNS Query for MEGA.io Upload Domain
author: Aaron Greetham (@beardofbinary) - NCC Group
date: 2021/05/26
description: Detects DNS queries for subdomains used for upload to MEGA.io
detection:
SELECTION_1:
EventID: 22
SELECTION_2:
QueryName: '*userstorage.mega.co.nz*'
condition: (SELECTION_1 and SELECTION_2)
falsepositives:
- Legitimate Mega upload
id: 613c03ba-0779-4a53-8a1f-47f914a4ded3
level: high
logsource:
category: dns_query
product: windows
references:
- https://research.nccgroup.com/2021/05/27/detecting-rclone-an-effective-tool-for-exfiltration/
status: experimental
tags:
- attack.exfiltration
- attack.t1567.002
yml_filename: dns_query_mega_nz.yml
yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/dns_query
Reference in New Issue View Git Blame Copy Permalink