Suspicious WebDAV LNK Execution
Detects possible execution via LNK file accessed on a WebDAV server.
Sigma rule (View on GitHub)
1title: Suspicious WebDAV LNK Execution
2id: 1412aa78-a24c-4abd-83df-767dfb2c5bbe
3related:
4 - id: f0507c0f-a3a2-40f5-acc6-7f543c334993
5 type: similar
6status: experimental
7description: Detects possible execution via LNK file accessed on a WebDAV server.
8references:
9 - https://www.trellix.com/en-us/about/newsroom/stories/research/beyond-file-search-a-novel-method.html
10 - https://micahbabinski.medium.com/search-ms-webdav-and-chill-99c5b23ac462
11author: Micah Babinski
12date: 2023/07/31
13tags:
14 - attack.execution
15 - attack.t1059.001
16 - attack.t1204
17logsource:
18 category: process_creation
19 product: windows
20detection:
21 selection_img:
22 ParentImage|endswith: '\explorer.exe'
23 Image|endswith:
24 - '\wscript.exe'
25 - '\cscript.exe'
26 - '\cmd.exe'
27 selection_cmd:
28 CommandLine|contains: '\DavWWWRoot\'
29 condition: all of selection_*
30falsepositives:
31 - Unknown
32level: high```
References
-
Join us as we delve into the mysterious world of the "search" or "search-ms" URI protocol attack. Threat actors craft deceptive emails and compromised websites to trick users into executing malicious code disguised as trusted files.
Read More -
Related rules
- Scheduled Task Executing Encoded Payload from Registry
- Scheduled Task Executing Payload from Registry
- DarkSide Ransomware Pattern
- Exploited CVE-2020-10189 Zoho ManageEngine
- Greenbug Espionage Group Indicators