← Back to Explore
sigmahighHunting
Suspicious Dropbox API Usage
Detects an executable that isn't dropbox but communicates with the Dropbox API
Detection Query
selection:
Initiated: "true"
DestinationHostname|endswith:
- api.dropboxapi.com
- content.dropboxapi.com
filter_main_legit_dropbox:
Image|contains: \Dropbox
condition: selection and not 1 of filter_main_*
Author
Florian Roth (Nextron Systems)
Created
2022-04-20
Data Sources
windowsNetwork Connection Events
Platforms
windows
References
Tags
attack.command-and-controlattack.exfiltrationattack.t1105attack.t1567.002
Raw Content
title: Suspicious Dropbox API Usage
id: 25eabf56-22f0-4915-a1ed-056b8dae0a68
status: test
description: Detects an executable that isn't dropbox but communicates with the Dropbox API
references:
- https://app.any.run/tasks/7e906adc-9d11-447f-8641-5f40375ecebb
- https://www.zscaler.com/blogs/security-research/new-espionage-attack-molerats-apt-targeting-users-middle-east
author: Florian Roth (Nextron Systems)
date: 2022-04-20
tags:
- attack.command-and-control
- attack.exfiltration
- attack.t1105
- attack.t1567.002
logsource:
category: network_connection
product: windows
detection:
selection:
Initiated: 'true'
DestinationHostname|endswith:
- 'api.dropboxapi.com'
- 'content.dropboxapi.com'
filter_main_legit_dropbox:
# Note: It's better to add a specific path to the exact location(s) where dropbox is installed
Image|contains: '\Dropbox'
condition: selection and not 1 of filter_main_*
falsepositives:
- Legitimate use of the API with a tool that the author wasn't aware of
level: high