APT40 Dropbox Tool User Agent

calendar Jun 12, 2025 · attack.command-and-control attack.t1071.001 attack.exfiltration attack.t1567.002 detection.emerging-threats  ·
Share on: linkedin copy

Detects suspicious user agent string of APT40 Dropbox tool

Sigma rule (View on GitHub)

 1title: APT40 Dropbox Tool User Agent
 2id: 5ba715b6-71b7-44fd-8245-f66893e81b3d
 3status: test
 4description: Detects suspicious user agent string of APT40 Dropbox tool
 5references:
 6    - Internal research from Florian Roth
 7author: Thomas Patzke
 8date: 2019-11-12
 9modified: 2023-05-18
10tags:
11    - attack.command-and-control
12    - attack.t1071.001
13    - attack.exfiltration
14    - attack.t1567.002
15    - detection.emerging-threats
16logsource:
17    category: proxy
18detection:
19    selection:
20        c-useragent: 'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36'
21        cs-host: 'api.dropbox.com'
22    condition: selection
23falsepositives:
24    - Old browsers
25level: high

References

Related rules

to-top