DropBox - Massive File Alterations

This rule detects more than 100 edited files during an hour by the same user. This is a suspicious behavior which can be an indication of a ransomware attack

Dropbox HIGH OTHER

Details

ID6de99f56-dfbf-40e0-bffd-bffe0a543cf5
From Version6.10.0
Execution ModeSCHEDULED
Crontab0 * * * *
Search Window4 hours
Datasetalerts

MITRE ATT&CK

  • TA0040 - Impact
    • T1486 - Data Encrypted for Impact

XQL Query

datamodel dataset = dropbox_dropbox_raw
| filter xdm.event.type = "file_operations" and xdm.event.operation_sub_type = "file_edit"
| alter user = coalesce(xdm.source.user.username, xdm.target.user.username)
| comp values(xdm.source.ipv4) as SourceIP, values(xdm.source.location.country) as Countries, max(_time) as lastTime, values(xdm.target.resource.name) as Files, count() as NumberOfFiles by user
| filter NumberOfFiles > 100

Investigation Query

datamodel dataset = dropbox_dropbox_raw
| filter xdm.event.type = "file_operations" and xdm.event.operation_sub_type = "file_edit"
| alter user = coalesce(xdm.source.user.username, xdm.target.user.username)
| filter user=$user