Suspicious Dropbox API Usage
Detects an executable that isn't dropbox but communicates with the Dropbox API
Sigma rule (View on GitHub)
1title: Suspicious Dropbox API Usage
2id: 25eabf56-22f0-4915-a1ed-056b8dae0a68
3status: test
4description: Detects an executable that isn't dropbox but communicates with the Dropbox API
5references:
6 - https://app.any.run/tasks/7e906adc-9d11-447f-8641-5f40375ecebb
7 - https://www.zscaler.com/blogs/security-research/new-espionage-attack-molerats-apt-targeting-users-middle-east
8author: Florian Roth (Nextron Systems)
9date: 2022-04-20
10tags:
11 - attack.command-and-control
12 - attack.t1105
13logsource:
14 category: network_connection
15 product: windows
16detection:
17 selection:
18 Initiated: 'true'
19 DestinationHostname|endswith:
20 - 'api.dropboxapi.com'
21 - 'content.dropboxapi.com'
22 filter_main_legit_dropbox:
23 # Note: It's better to add a specific path to the exact location(s) where dropbox is installed
24 Image|contains: '\Dropbox'
25 condition: selection and not 1 of filter_main_*
26falsepositives:
27 - Legitimate use of the API with a tool that the author wasn't aware of
28level: high
References
-
Interactive malware hunting service. Live testing of most type of threats in any environments. No installation and no waiting necessary.
Read More -
In December 2021, ThreatLabz identified several macro-based MS office files targeting Middle Eastern countries which were attributed to the Molerats APT group.
Read More
Related rules
- AppX Package Installation Attempts Via AppInstaller.EXE
- Arbitrary File Download Via GfxDownloadWrapper.EXE
- Browser Execution In Headless Mode
- Cisco Stage Data
- Command Line Execution with Suspicious URL and AppData Strings