Suspicious Dropbox API Usage

Detects an executable that isn't dropbox but communicates with the Dropbox API

Sigma rule (View on GitHub)

 1title: Suspicious Dropbox API Usage
 2id: 25eabf56-22f0-4915-a1ed-056b8dae0a68
 3status: test
 4description: Detects an executable that isn't dropbox but communicates with the Dropbox API
 5references:
 6    - https://app.any.run/tasks/7e906adc-9d11-447f-8641-5f40375ecebb
 7    - https://www.zscaler.com/blogs/security-research/new-espionage-attack-molerats-apt-targeting-users-middle-east
 8author: Florian Roth (Nextron Systems)
 9date: 2022-04-20
10tags:
11    - attack.command-and-control
12    - attack.exfiltration
13    - attack.t1105
14    - attack.t1567.002
15logsource:
16    category: network_connection
17    product: windows
18detection:
19    selection:
20        Initiated: 'true'
21        DestinationHostname|endswith:
22            - 'api.dropboxapi.com'
23            - 'content.dropboxapi.com'
24    filter_main_legit_dropbox:
25        # Note: It's better to add a specific path to the exact location(s) where dropbox is installed
26        Image|contains: '\Dropbox'
27    condition: selection and not 1 of filter_main_*
28falsepositives:
29    - Legitimate use of the API with a tool that the author wasn't aware of
30level: high

References

Related rules

to-top