LoFP / legitimate use of the api with a tool that the author wasn't aware of

Techniques

t1105

Sample rules

Suspicious Dropbox API Usage

source: sigma
technicques:
- t1105

Description

Detects an executable that isn’t dropbox but communicates with the Dropbox API

Detection logic

condition: selection and not 1 of filter_main_*
filter_main_legit_dropbox:
  Image|contains: \Dropbox
selection:
  DestinationHostname|endswith:
  - api.dropboxapi.com
  - content.dropboxapi.com
  Initiated: 'true'