Suspicious Dropbox API Usage
Detects an executable that isn't dropbox but communicates with the Dropbox API
Sigma rule (View on GitHub)
1title: Suspicious Dropbox API Usage
2id: 25eabf56-22f0-4915-a1ed-056b8dae0a68
3status: test
4description: Detects an executable that isn't dropbox but communicates with the Dropbox API
5references:
6 - https://app.any.run/tasks/7e906adc-9d11-447f-8641-5f40375ecebb
7 - https://www.zscaler.com/blogs/security-research/new-espionage-attack-molerats-apt-targeting-users-middle-east
8author: Florian Roth (Nextron Systems)
9date: 2022-04-20
10tags:
11 - attack.command-and-control
12 - attack.exfiltration
13 - attack.t1105
14 - attack.t1567.002
15logsource:
16 category: network_connection
17 product: windows
18detection:
19 selection:
20 Initiated: 'true'
21 DestinationHostname|endswith:
22 - 'api.dropboxapi.com'
23 - 'content.dropboxapi.com'
24 filter_main_legit_dropbox:
25 # Note: It's better to add a specific path to the exact location(s) where dropbox is installed
26 Image|contains: '\Dropbox'
27 condition: selection and not 1 of filter_main_*
28falsepositives:
29 - Legitimate use of the API with a tool that the author wasn't aware of
30level: high
References
Related rules
- Suspicious Non-Browser Network Communication With Telegram API
- APT40 Dropbox Tool User Agent
- Suspicious Curl File Upload - Linux
- Cisco Stage Data
- Network Connection Initiated To Visual Studio Code Tunnels Domain