WebDAV Temporary Local File Creation

Aug 5, 2023 · attack.initial_access attack.t1584 attack.t1566 ·

Detects the creation of WebDAV temporary files with suspicious extensions

Sigma rule (View on GitHub)

 1title: WebDAV Temporary Local File Creation
 2id: 4c55738d-72d8-490e-a2db-7969654e375f
 3status: experimental
 4description: Detects the creation of WebDAV temporary files with suspicious extensions
 5references:
 6    - https://www.trellix.com/en-us/about/newsroom/stories/research/beyond-file-search-a-novel-method.html
 7author: Micah Babinski
 8date: 2023/07/31
 9modified: 2023/08/04
10tags:
11    - attack.initial_access
12    - attack.t1584
13    - attack.t1566
14logsource:
15    product: windows
16    category: file_event
17detection:
18    selection_1:
19        TargetFilename|contains: 'AppData\Local\Temp\TfsStore\Tfs_DAV'
20    selection_2:
21        TargetFilename|endswith:
22            - '.vbs'
23            - '.ps1'
24            - '.lnk'
25            - '.zip'
26            - '.ico'
27            - '.bat'
28            - '.js'
29    condition: all of selection_*
30falsepositives:
31    - Legitimate use of WebDAV in an environment
32level: low```

References

https://www.trellix.com/en-us/about/newsroom/stories/research/beyond-file-search-a-novel-method.html

Read More

WebDAV Temporary Local File Creation

Sigma rule (View on GitHub)

References

https://www.trellix.com/en-us/about/newsroom/stories/research/beyond-file-search-a-novel-method.html

Related rules