Suspicious WebDAV LNK Execution

 1title: Suspicious WebDAV LNK Execution
 2id: 1412aa78-a24c-4abd-83df-767dfb2c5bbe
 3related:
 4  - id: f0507c0f-a3a2-40f5-acc6-7f543c334993
 5    type: similar    
 6status: experimental
 7description: Detects possible execution via LNK file accessed on a WebDAV server.
 8references:
 9    - https://www.trellix.com/en-us/about/newsroom/stories/research/beyond-file-search-a-novel-method.html
10    - https://micahbabinski.medium.com/search-ms-webdav-and-chill-99c5b23ac462
11author: Micah Babinski
12date: 2023/07/31
13tags:
14    - attack.execution
15    - attack.t1059.001
16    - attack.t1204
17logsource:
18    category: process_creation
19    product: windows
20detection:
21    selection_img:
22        ParentImage|endswith: '\explorer.exe'
23        Image|endswith:
24            - '\wscript.exe'
25            - '\cscript.exe'
26            - '\cmd.exe'
27    selection_cmd:
28        CommandLine|contains: '\DavWWWRoot\'
29    condition: all of selection_*
30falsepositives:
31    - Unknown
32level: high```

References

• https://www.trellix.com/en-us/about/newsroom/stories/research/beyond-file-search-a-novel-method.html

  
  Read More

• Search-ms, WebDAV, and Chill

  

  Detecting a [Re-]emerging Initial Access Method

  
  Read More

Related rules

• Powershell Base64 Encoding (RedCanary Threat Detection Report)
• Powershell Encoded Command Switch (RedCanary Threat Detection Report)
• Powershell Obfuscated Commands (RedCanary Threat Detection Report)
• Suspicious Powershell Commandlets (RedCanary Threat Detection Report)
• Invoke-Obfuscation CLIP+ Launcher