Search-ms and WebDAV Indicators in URL
Detects URL pattern used by search(-ms)/WebDAV initial access campaign.
Sigma rule (View on GitHub)
1title: Search-ms and WebDAV Indicators in URL
2id: 5039f3d2-406a-4c1a-9350-7a5a85dc84c2
3status: experimental
4description: Detects URL pattern used by search(-ms)/WebDAV initial access campaign.
5references:
6 - https://www.trellix.com/en-us/about/newsroom/stories/research/beyond-file-search-a-novel-method.html
7author: Micah Babinski
8date: 2023/07/31
9modified: 2023/08/04
10tags:
11 - attack.initial_access
12 - attack.t1584
13 - attack.t1566
14logsource:
15 category: proxy
16detection:
17 selection_search_ms:
18 c-uri|contains|all:
19 - 'search' # matches on search:query= or search-ms:query=
20 - ':query='
21 - 'webdav'
22 selection_search_term:
23 c-uri|contains:
24 - 'invoice'
25 - 'payment'
26 - 'notice'
27 - 'agreement'
28 # add others!
29 filter:
30 dst_ip:
31 - '127.0.0.0/8'
32 - '10.0.0.0/8'
33 - '172.16.0.0/12'
34 - '192.168.0.0/16'
35 condition: all of selection_* and not filter
36falsepositives:
37 - Legitimate use of search-ms/search URI protocol
38level: high```
References
Related rules
- WebDAV Temporary Local File Creation
- Yellow Cockatoo PowerShell Suspicious .NET Methods (RedCanary Threat Detection Report)
- Yellow Cockatoo Powershell Startup Folder Persistence (RedCanary Threat Detection Report)
- Malicious QakBot Dropped File Creation (Sysmon)
- Disabled Users Failing To Authenticate From Source Using Kerberos