Executable from Webdav

 1title: Executable from Webdav
 2id: aac2fd97-bcba-491b-ad66-a6edf89c71bf
 3status: test
 4description: 'Detects executable access via webdav6. Can be seen in APT 29 such as from the emulated APT 29 hackathon https://github.com/OTRF/detection-hackathon-apt29/'
 5references:
 6    - http://carnal0wnage.attackresearch.com/2012/06/webdav-server-to-download-custom.html
 7    - https://github.com/OTRF/detection-hackathon-apt29
 8author: 'SOC Prime, Adam Swan'
 9date: 2020/05/01
10modified: 2021/11/27
11tags:
12    - attack.command_and_control
13    - attack.t1105
14logsource:
15    product: zeek
16    service: http
17detection:
18    selection_webdav:
19        - c-useragent|contains: 'WebDAV'
20        - c-uri|contains: 'webdav'
21    selection_executable:
22        - resp_mime_types|contains: 'dosexec'
23        - c-uri|endswith: '.exe'
24    condition: selection_webdav and selection_executable
25falsepositives:
26    - Unknown
27level: medium

References

• WebDAV Server to Download Custom Executable or MSF Generated Executables

  

  Metasploit comes with dllhijacker module The current module does not allow you to download exe's, in fact these are specifically blacklisted. This makes sense because that's not what the exploit is...

  
  Read More

• GitHub - OTRF/detection-hackathon-apt29: Place for resources used during the Mordor Detection hackathon event featuring APT29 ATT&CK evals datasets

  

  Place for resources used during the Mordor Detection hackathon event featuring APT29 ATT&CK evals datasets - OTRF/detection-hackathon-apt29

  
  Read More

Related rules

• Remote File Copy
• DNS TXT Answer with Possible Execution Strings
• Default Cobalt Strike Certificate