Executable from Webdav
Detects executable access via webdav6. Can be seen in APT 29 such as from the emulated APT 29 hackathon https://github.com/OTRF/detection-hackathon-apt29/
Sigma rule (View on GitHub)
1title: Executable from Webdav
2id: aac2fd97-bcba-491b-ad66-a6edf89c71bf
3status: test
4description: 'Detects executable access via webdav6. Can be seen in APT 29 such as from the emulated APT 29 hackathon https://github.com/OTRF/detection-hackathon-apt29/'
5references:
6 - http://carnal0wnage.attackresearch.com/2012/06/webdav-server-to-download-custom.html
7 - https://github.com/OTRF/detection-hackathon-apt29
8author: 'SOC Prime, Adam Swan'
9date: 2020-05-01
10modified: 2021-11-27
11tags:
12 - attack.command-and-control
13 - attack.t1105
14logsource:
15 product: zeek
16 service: http
17detection:
18 selection_webdav:
19 - c-useragent|contains: 'WebDAV'
20 - c-uri|contains: 'webdav'
21 selection_executable:
22 - resp_mime_types|contains: 'dosexec'
23 - c-uri|endswith: '.exe'
24 condition: selection_webdav and selection_executable
25falsepositives:
26 - Unknown
27level: medium
References
-
Metasploit comes with dllhijacker module The current module does not allow you to download exe's, in fact these are specifically blacklisted. This makes sense because that's not what the exploit is...
Read More -
Place for resources used during the Mordor Detection hackathon event featuring APT29 ATT&CK evals datasets - OTRF/detection-hackathon-apt29
Read More
Related rules
- AppX Package Installation Attempts Via AppInstaller.EXE
- Arbitrary File Download Via GfxDownloadWrapper.EXE
- Browser Execution In Headless Mode
- Cisco Stage Data
- Command Line Execution with Suspicious URL and AppData Strings