Suspicious Dropbox API Usage
Detects an executable that isn't dropbox but communicates with the Dropbox API
Sigma rule (View on GitHub)
1title: Suspicious Dropbox API Usage
2id: 25eabf56-22f0-4915-a1ed-056b8dae0a68
3status: test
4description: Detects an executable that isn't dropbox but communicates with the Dropbox API
5references:
6 - https://app.any.run/tasks/7e906adc-9d11-447f-8641-5f40375ecebb
7 - https://www.zscaler.com/blogs/security-research/new-espionage-attack-molerats-apt-targeting-users-middle-east
8author: Florian Roth (Nextron Systems)
9date: 2022/04/20
10tags:
11 - attack.command_and_control
12 - attack.t1105
13logsource:
14 category: network_connection
15 product: windows
16detection:
17 selection:
18 Initiated: 'true'
19 DestinationHostname|endswith:
20 - 'api.dropboxapi.com'
21 - 'content.dropboxapi.com'
22 filter:
23 Image|contains: '\Dropbox'
24 condition: selection and not filter
25falsepositives:
26 - Legitimate use of the API with a tool that the author wasn't aware of
27level: high
References
-
Interactive malware hunting service. Live testing of most type of threats in any environments. No installation and no waiting necessary.
Read More -
In December 2021, ThreatLabz identified several macro-based MS office files targeting Middle Eastern countries which were attributed to the Molerats APT group.
Read More
Related rules
- Curl Usage on Linux
- Finger.exe Suspicious Invocation
- Password Protected ZIP File Opened (Suspicious Filenames)
- Potential Download/Upload Activity Using Type Command
- PrintBrm ZIP Creation of Extraction