Renamed MegaSync Execution
Detects the execution of a renamed MegaSync.exe as seen used by ransomware families like Nefilim, Sodinokibi, Pysa, and Conti.
Sigma rule (View on GitHub)
1title: Renamed MegaSync Execution
2id: 643bdcac-8b82-49f4-9fd9-25a90b929f3b
3status: test
4description: Detects the execution of a renamed MegaSync.exe as seen used by ransomware families like Nefilim, Sodinokibi, Pysa, and Conti.
5references:
6 - https://redcanary.com/blog/rclone-mega-extortion/
7author: Sittikorn S
8date: 2021-06-22
9modified: 2023-02-03
10tags:
11 - attack.defense-evasion
12 - attack.t1218
13logsource:
14 product: windows
15 category: process_creation
16detection:
17 selection:
18 OriginalFileName: 'megasync.exe'
19 filter:
20 Image|endswith: '\megasync.exe'
21 condition: selection and not filter
22falsepositives:
23 - Software that illegally integrates MegaSync in a renamed form
24 - Administrators that have renamed MegaSync
25level: high
References
-
Defenders can sabotage double extortion ransomware schemes by detecting unusual file transfer utilities such as Mega and Rclone.
Read More
Related rules
- Abusing Print Executable
- AddinUtil.EXE Execution From Uncommon Directory
- AgentExecutor PowerShell Execution
- Arbitrary DLL or Csproj Code Execution Via Dotnet.EXE
- Arbitrary File Download Via MSOHTMED.EXE