Suspicious Dropbox API Usage

Detects an executable that isn't dropbox but communicates with the Dropbox API

Sigma rule (View on GitHub)

 1title: Suspicious Dropbox API Usage
 2id: 25eabf56-22f0-4915-a1ed-056b8dae0a68
 3status: test
 4description: Detects an executable that isn't dropbox but communicates with the Dropbox API
 5references:
 6    - https://app.any.run/tasks/7e906adc-9d11-447f-8641-5f40375ecebb
 7    - https://www.zscaler.com/blogs/security-research/new-espionage-attack-molerats-apt-targeting-users-middle-east
 8author: Florian Roth (Nextron Systems)
 9date: 2022-04-20
10tags:
11    - attack.command-and-control
12    - attack.t1105
13logsource:
14    category: network_connection
15    product: windows
16detection:
17    selection:
18        Initiated: 'true'
19        DestinationHostname|endswith:
20            - 'api.dropboxapi.com'
21            - 'content.dropboxapi.com'
22    filter_main_legit_dropbox:
23        # Note: It's better to add a specific path to the exact location(s) where dropbox is installed
24        Image|contains: '\Dropbox'
25    condition: selection and not 1 of filter_main_*
26falsepositives:
27    - Legitimate use of the API with a tool that the author wasn't aware of
28level: high

References

Related rules

to-top