Renamed MegaSync Execution
Detects the execution of a renamed MegaSync.exe as seen used by ransomware families like Nefilim, Sodinokibi, Pysa, and Conti.
Sigma rule (View on GitHub)
1title: Renamed MegaSync Execution
2id: 643bdcac-8b82-49f4-9fd9-25a90b929f3b
3status: test
4description: Detects the execution of a renamed MegaSync.exe as seen used by ransomware families like Nefilim, Sodinokibi, Pysa, and Conti.
5references:
6 - https://redcanary.com/blog/rclone-mega-extortion/
7author: Sittikorn S
8date: 2021/06/22
9modified: 2023/02/03
10tags:
11 - attack.defense_evasion
12 - attack.t1218
13logsource:
14 product: windows
15 category: process_creation
16detection:
17 selection:
18 OriginalFileName: 'megasync.exe'
19 filter:
20 Image|endswith: '\megasync.exe'
21 condition: selection and not filter
22falsepositives:
23 - Software that illegally integrates MegaSync in a renamed form
24 - Administrators that have renamed MegaSync
25level: high
References
-
Defenders can sabotage double extortion ransomware schemes by detecting unusual file transfer utilities such as Mega and Rclone.
Read More
Related rules
- Microsoft Workflow Compiler Execution
- Application Whitelisting Bypass via Dxcap.exe
- DNS Query From Process with Double File Extension
- Download by Process with Double File Extension
- File Creation by Process with Double File Extension