title: DNS Query for MEGA.io Upload Domain
id: 613c03ba-0779-4a53-8a1f-47f914a4ded3
description: Detects DNS queries for subdomains used for upload to MEGA.io
status: experimental
date: 2021/05/26
author: Aaron Greetham (@beardofbinary) - NCC Group
references:
    - https://research.nccgroup.com/2021/05/27/detecting-rclone-an-effective-tool-for-exfiltration/
tags:
    - attack.exfiltration
    - attack.t1567.002
falsepositives:
    - Legitimate Mega upload
level: high 
logsource:
    product: windows
    category: dns_query
detection:
    dns_request:
        EventID: 22
        QueryName|contains: userstorage.mega.co.nz
    condition: dns_request