Suspicious Dropbox API Usage

About the rule

Rule Type

Standard

Rule Description

Suspicious Dropbox API Usage is an instance where a program that isn’t the official Dropbox client tries to connect to Dropbox using its API. This kind of activity can be unusual and may indicate unauthorized or malicious use.

Severity

Trouble

Rule journey

Attack chain scenario

Initial access (Phishing) → Execution → Defense Evasion → Command and control (Drop API Usage) → Impact

Impact

• Establishing C2 connection to the attacker's server through PowerShell command or script embedded in the INF file to open an outbound HTTP connection.
• C2 channel used to deploy payloads that sets register key to re-trigger the cmstp.exe
• Data exfiltration

Rule Requirement

Prerequisites

• Download and install Sysmon from Microsoft Sysinternals. Then, open a Command prompt with administrator privileges and create a Sysmon configuration which monitors the network connection using -

sysmon.exe -i [configfile.xml].

• Add network connection events to monitor in your configuration file using -

<Sysmon>
<EventFiltering>
<NetworkConnect onmatch="exclude"/>
<!-- This captures all network connection events -->
</EventFiltering>
</Sysmon>

• Create a new registry key "Microsoft-Windows-Sysmon/Network" in the directory "Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\".
• Allocate the registry value of Max Size to 200MB to ensure adequate storage for network logs, as they tend to be high volume.

Criteria

Detection

Execution Mode

realtime

Log Sources

Windows

MITRE ATT&CK

Command and Control : Ingress Tool Transfer (T1105)

Security Standards

Enabling this rule will help you meet the security standard's requirement listed below:

DE.CM-01: Networks and network services are monitored to find potentially adverse events.

Security administrators have to continuously monitor all the network and its services in real-time using SIEM tools and identify the unusual behavior during the suspicious usage of Dropbox. Enforce the policies on the web traffic to ensure the network security.

PR.PS-02: Software is maintained, replaced, and removed commensurate with risk.

Security personnel need to ensure and proactively secure the software through its lifecycle. Utilizing patch management solutions, endpoint protection tools, and SIEM systems is essential to apply updates, monitor vulnerabilities, and identify and remove outdated or unsupported devices from the network to maintain a secure environment.

PR.AA-05: Access permissions, entitlements, and authorizations are defined in a policy, managed, enforced, and reviewed, and incorporate the principles of least privilege and separation of duties

Security administrators ensure to draft and implement strict privilege permission for critical operations of configuring Connection Manager and services. Leverage IAM and SIEM solutions to ensure access permission and authorizations and regular auditing practices.

Author

Florian Roth (Nextron Systems)

Future actions

Known False Positives

Dropbox API usage can be completely legitimate when triggered by business tools such as CRM, ERP, or endpoint management systems. These tools often use connectors or plugins to access and update Dropbox resources, resulting in valid API calls.

Next Steps

When this rule is triggered, the following measures can be implemented:

1. Identification: Identify the event and check if the flagged incident is new or the existing one.
2. Analysis: Analyze the impact and extent of the incident to comprehend the severity of the attack using the Incident Workbench.
3. Response: Respond promptly by initiating an automated workflow to interrupt the network connections and kill or terminate the malicious process.
4. Reconfiguration: Update the network policies and port configurations and continuously monitor traffic trends in the network.

Mitigation