WebDav Put Request

Aug 12, 2024 · attack.exfiltration attack.t1048.003 ·

A General detection for WebDav user-agent being used to PUT files on a WebDav network share. This could be an indicator of exfiltration.

Sigma rule (View on GitHub)

 1title: WebDav Put Request
 2id: 705072a5-bb6f-4ced-95b6-ecfa6602090b
 3status: test
 4description: A General detection for WebDav user-agent being used to PUT files on a WebDav network share. This could be an indicator of exfiltration.
 5references:
 6    - https://github.com/OTRF/detection-hackathon-apt29/issues/17
 7author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
 8date: 2020-05-02
 9modified: 2024-03-13
10tags:
11    - attack.exfiltration
12    - attack.t1048.003
13logsource:
14    product: zeek
15    service: http
16detection:
17    selection:
18        user_agent|contains: 'WebDAV'
19        method: 'PUT'
20    filter:
21        id.resp_h|cidr:
22            - '10.0.0.0/8'
23            - '127.0.0.0/8'
24            - '172.16.0.0/12'
25            - '192.168.0.0/16'
26            - '169.254.0.0/16'
27    condition: selection and not filter
28falsepositives:
29    - Unknown
30level: low

References

7.B) Data from Local System, Data Compressed, Data Encrypted, Exfiltration Over Alternative Protocol · Issue #17 · OTRF/detection-hackathon-apt29

The attacker then collects files (T1005), which are compressed (T1002) and encrypted (T1022), before being exfiltrated to an attacker-controlled WebDAV share (T1048).

Read More

WebDav Put Request

Sigma rule (View on GitHub)

References

7.B) Data from Local System, Data Compressed, Data Encrypted, Exfiltration Over Alternative Protocol · Issue #17 · OTRF/detection-hackathon-apt29

Related rules