Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionhightest

Suspicious Dropbox API Usage

Detects an executable that isn't dropbox but communicates with the Dropbox API

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
Florian Roth (Nextron Systems)Created Wed Apr 2025eabf56-22f0-4915-a1ed-056b8dae0a68windows
Log Source
WindowsNetwork Connection
ProductWindows← raw: windows
CategoryNetwork Connection← raw: network_connection

Events for outbound and inbound network connections including DNS resolution.

Detection Logic
Detection Logic2 selectors
detection:
    selection:
        Initiated: 'true'
        DestinationHostname|endswith:
            - 'api.dropboxapi.com'
            - 'content.dropboxapi.com'
    filter_main_legit_dropbox:
        # Note: It's better to add a specific path to the exact location(s) where dropbox is installed
        Image|contains: '\Dropbox'
    condition: selection and not 1 of filter_main_*
False Positives

Legitimate use of the API with a tool that the author wasn't aware of

References
1
Resolving title…
app.any.run
2
Resolving title…
zscaler.com
MITRE ATT&CK
Rule Metadata
Rule ID
25eabf56-22f0-4915-a1ed-056b8dae0a68
Status
test
Level
high
Type
Detection
Created
Wed Apr 20
Author
Florian Roth (Nextron Systems)
Path
rules/windows/network_connection/net_connection_win_domain_dropbox_api.yml
Raw Tags
attack.command-and-controlattack.exfiltrationattack.t1105attack.t1567.002
View on GitHub