APT40 Dropbox Tool User Agent

calendar Feb 26, 2024 · attack.command_and_control attack.t1071.001 attack.exfiltration attack.t1567.002  ·
Share on: linkedin copy

Detects suspicious user agent string of APT40 Dropbox tool

Sigma rule (View on GitHub)

 1title: APT40 Dropbox Tool User Agent
 2id: 5ba715b6-71b7-44fd-8245-f66893e81b3d
 3status: test
 4description: Detects suspicious user agent string of APT40 Dropbox tool
 5references:
 6    - Internal research from Florian Roth
 7author: Thomas Patzke
 8date: 2019/11/12
 9modified: 2023/05/18
10tags:
11    - attack.command_and_control
12    - attack.t1071.001
13    - attack.exfiltration
14    - attack.t1567.002
15logsource:
16    category: proxy
17detection:
18    selection:
19        c-useragent: 'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36'
20        cs-host: 'api.dropbox.com'
21    condition: selection
22falsepositives:
23    - Old browsers
24level: high

References

Related rules

to-top