- title: APT40 Dropbox Tool User Agent
id: 5ba715b6-71b7-44fd-8245-f66893e81b3d
status: experimental
description: Detects suspicious user agent string of APT40 Dropbox tool
references:
- Internal research from Florian Roth
author: Thomas Patzke
logsource:
category: proxy
product: null
service: null
detection:
selection:
c-useragent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML,
like Gecko) Chrome/36.0.1985.143 Safari/537.36
r-dns: api.dropbox.com
condition: selection
fields:
- c-ip
- c-uri
falsepositives:
- Old browsers
level: high
In [ ]:
from elasticsearch import Elasticsearch
from elasticsearch_dsl import Search
import pandas as pd
In [ ]:
es = Elasticsearch(['http://helk-elasticsearch:9200'])
searchContext = Search(using=es, index='logs-*', doc_type='doc')
In [ ]:
s = searchContext.query('query_string', query='(c-useragent:"Mozilla\/5.0\ \(Windows\ NT\ 6.1;\ WOW64\)\ AppleWebKit\/537.36\ \(KHTML,\ like\ Gecko\)\ Chrome\/36.0.1985.143\ Safari\/537.36" AND r-dns:"api.dropbox.com")')
response = s.execute()
if response.success():
df = pd.DataFrame((d.to_dict() for d in s.scan()))
In [ ]:
df.head()