This artifact will parse MEGASync logs and enables using regex to search for entries of interest.
With UploadLogs selected a copy of the logs are uploaded to the server. SearchVSS enables search over VSS and dedup support.
name: Windows.Applications.MegaSync
description: |
This artifact will parse MEGASync logs and enables using regex to search for
entries of interest.
With UploadLogs selected a copy of the logs are uploaded to the server.
SearchVSS enables search over VSS and dedup support.
author: "Matt Green - @mgreen27"
reference:
- https://attack.mitre.org/techniques/T1567/002/
precondition: SELECT OS From info() where OS = 'windows'
parameters:
- name: LogFiles
default: 'C:\Users\*\AppData\Local\Mega Limited\MEGAsync\logs\*.log'
- name: SearchRegex
description: "Regex of strings to search in line."
default: 'Transfer\s\(UPLOAD\)|upload\squeue|local\sfile\saddition\sdetected|Sync\s-\ssending\sfile|\"user\"'
type: regex
- name: WhitelistRegex
description: "Regex of strings to leave out of output."
default:
type: regex
- name: VSSAnalysisAge
type: int
default: 0
description: |
If larger than zero we analyze VSS within this many days
ago. (e.g 7 will analyze all VSS within the last week). Note
that when using VSS analysis we have to use the ntfs accessor
for everything which will be much slower.
- name: UploadLogs
description: "Upload MEGASync logs."
type: bool
sources:
- query: |
LET VSS_MAX_AGE_DAYS <= VSSAnalysisAge
LET Accessor = if(condition=VSSAnalysisAge > 0, then="ntfs_vss", else="auto")
-- Find target files
LET files = SELECT *, OSPath as Source
FROM glob(globs=LogFiles, accessor=Accessor)
-- Collect all Lines in scope of regex search
LET output = SELECT * FROM foreach(row=files,
query={
SELECT Line, OSPath,
Mtime,
Atime,
Ctime,
Size
FROM parse_lines(filename=OSPath,accessor='file')
WHERE TRUE
AND Line =~ SearchRegex
AND NOT if(condition= WhitelistRegex,
then= Line=~WhitelistRegex,
else = false)
})
GROUP BY Line
SELECT
Line as RawLine,
OSPath
FROM output
- name: LogFiles
query: |
SELECT
OSPath,
if(condition=UploadLogs,
then= upload(file=OSPath, accessor=Accessor)
) as Upload,
'MEGAsync logfile' as Description,
Mtime,
Atime,
Ctime,
Size
FROM output
GROUP BY OSPath