
Summary
This detection rule identifies network connections initiated by binaries to the Mega.nz domain, specifically targeting the API endpoint api.mega.co.nz. The rule is implemented in response to observed behavior where attackers leverage file sharing services like Mega.nz to transfer additional malware payloads during attacks. The detection leverages specific characteristics of network connections, filtering for legitimate initiations of connections to known domains related to Mega.nz. Given that legitimate software may also establish connections to this domain, the rule includes guidance to manage false positives by excluding recognized legitimate installations and their associated hosts. This proactive detection is considered low level due to the potential for benign activities on the identified domains.
Categories
- Network
- Endpoint
Data Sources
- Network Traffic
- Application Log
Created: 2021-12-06