WebDAV Temporary Local File Creation
Detects the creation of WebDAV temporary files with suspicious extensions
Sigma rule (View on GitHub)
1title: WebDAV Temporary Local File Creation
2id: 4c55738d-72d8-490e-a2db-7969654e375f
3status: experimental
4description: Detects the creation of WebDAV temporary files with suspicious extensions
5references:
6 - https://www.trellix.com/en-us/about/newsroom/stories/research/beyond-file-search-a-novel-method.html
7author: Micah Babinski
8date: 2023/07/31
9modified: 2023/08/04
10tags:
11 - attack.initial_access
12 - attack.t1584
13 - attack.t1566
14logsource:
15 product: windows
16 category: file_event
17detection:
18 selection_1:
19 TargetFilename|contains: 'AppData\Local\Temp\TfsStore\Tfs_DAV'
20 selection_2:
21 TargetFilename|endswith:
22 - '.vbs'
23 - '.ps1'
24 - '.lnk'
25 - '.zip'
26 - '.ico'
27 - '.bat'
28 - '.js'
29 condition: all of selection_*
30falsepositives:
31 - Legitimate use of WebDAV in an environment
32level: low```
References
Related rules
- Search-ms and WebDAV Indicators in URL
- Download From Suspicious TLD - Blacklist
- Yellow Cockatoo PowerShell Suspicious .NET Methods (RedCanary Threat Detection Report)
- Yellow Cockatoo Powershell Startup Folder Persistence (RedCanary Threat Detection Report)
- HTML Help HH.EXE Suspicious Child Process