The Mega Utility Execution rule is designed to detect the unauthorized use of the MEGA cloud storage application on Linux and macOS platforms. MEGA is favored by threat actors for its end-to-end encryption and semi-anonymous payment options, enabling them to transfer large volumes of stolen data discreetly. This detection rule leverages EDR logs to identify specific process executions related to the MEGAsync client application or the command-line interface utility MegaCMD. By querying the process paths of these utilities within the last two hours, the rule can identify potential data exfiltration activities in real-time. The detection logic uses the snowflake format to filter process events by platform and the specified process paths, indicating a possible security incident.