← Back to SOC feed Coverage →

Network Connection Initiated To Mega.nz

sigma LOW SigmaHQ
T1567.002
imNetworkSession
This rule was pulled from an open-source repository and enriched with AI. Validate in a test environment before deploying to production.
View original rule at SigmaHQ →
Retrieved: 2026-05-05T23:00:00Z · Confidence: medium

Hunt Hypothesis

Detects a network connection initiated by a binary to “api.mega.co.nz”. Attackers were seen abusing file sharing websites similar to “mega.nz” in order to upload/download additional payloads.

Detection Rule

Sigma (Original)

title: Network Connection Initiated To Mega.nz
id: fdeebdf0-9f3f-4d08-84a6-4c4d13e39fe4
status: test
description: |
    Detects a network connection initiated by a binary to "api.mega.co.nz".
    Attackers were seen abusing file sharing websites similar to "mega.nz" in order to upload/download additional payloads.
references:
    - https://megatools.megous.com/
    - https://www.mandiant.com/resources/russian-targeting-gov-business
author: Florian Roth (Nextron Systems)
date: 2021-12-06
modified: 2024-05-31
tags:
    - attack.exfiltration
    - attack.t1567.002
logsource:
    category: network_connection
    product: windows
detection:
    selection:
        Initiated: 'true'
        DestinationHostname|endswith:
            - 'mega.co.nz'
            - 'mega.nz'
    condition: selection
falsepositives:
    - Legitimate MEGA installers and utilities are expected to communicate with this domain. Exclude hosts that are known to be allowed to use this tool.
level: low

KQL (Azure Sentinel)

imNetworkSession
| where NetworkDirection =~ "true" and (DstHostname endswith "mega.co.nz" or DstHostname endswith "mega.nz")

Required Data Sources

Sentinel TableNotes
imNetworkSessionEnsure this data connector is enabled

False Positive Guidance

MITRE ATT&CK Context

References

Original source: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/network_connection/net_connection_win_domain_mega_nz.yml