Suspicious Dropbox API Usage

Hunt Hypothesis

Detects an executable that isn’t dropbox but communicates with the Dropbox API

Detection Rule

Sigma (Original)

title: Suspicious Dropbox API Usage
id: 25eabf56-22f0-4915-a1ed-056b8dae0a68
status: test
description: Detects an executable that isn't dropbox but communicates with the Dropbox API
references:
    - https://app.any.run/tasks/7e906adc-9d11-447f-8641-5f40375ecebb
    - https://www.zscaler.com/blogs/security-research/new-espionage-attack-molerats-apt-targeting-users-middle-east
author: Florian Roth (Nextron Systems)
date: 2022-04-20
tags:
    - attack.command-and-control
    - attack.exfiltration
    - attack.t1105
    - attack.t1567.002
logsource:
    category: network_connection
    product: windows
detection:
    selection:
        Initiated: 'true'
        DestinationHostname|endswith:
            - 'api.dropboxapi.com'
            - 'content.dropboxapi.com'
    filter_main_legit_dropbox:
        # Note: It's better to add a specific path to the exact location(s) where dropbox is installed
        Image|contains: '\Dropbox'
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Legitimate use of the API with a tool that the author wasn't aware of
level: high

KQL (Azure Sentinel)

imNetworkSession
| where (NetworkDirection =~ "true" and (DstHostname endswith "api.dropboxapi.com" or DstHostname endswith "content.dropboxapi.com")) and (not((SrcProcessName contains "\\Dropbox" or DstProcessName contains "\\Dropbox")))

Required Data Sources

False Positive Guidance

• Legitimate use of the API with a tool that the author wasn’t aware of

MITRE ATT&CK Context

• Tactic: Command and Control
• Tactic: Exfiltration
• Technique: T1105 — T1105
• Technique: T1567.002 — T1567.002

References

• https://app.any.run/tasks/7e906adc-9d11-447f-8641-5f40375ecebb
• https://www.zscaler.com/blogs/security-research/new-espionage-attack-molerats-apt-targeting-users-middle-east
• SigmaHQ Rule