WebDav Put Request

A General detection for WebDav user-agent being used to PUT files on a WebDav network share. This could be an indicator of exfiltration.

Sigma rule (View on GitHub)

 1title: WebDav Put Request
 2id: 705072a5-bb6f-4ced-95b6-ecfa6602090b
 3status: test
 4description: A General detection for WebDav user-agent being used to PUT files on a WebDav network share. This could be an indicator of exfiltration.
 5references:
 6    - https://github.com/OTRF/detection-hackathon-apt29/issues/17
 7author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
 8date: 2020/05/02
 9modified: 2024/03/13
10tags:
11    - attack.exfiltration
12    - attack.t1048.003
13logsource:
14    product: zeek
15    service: http
16detection:
17    selection:
18        user_agent|contains: 'WebDAV'
19        method: 'PUT'
20    filter:
21        id.resp_h|cidr:
22            - '10.0.0.0/8'
23            - '127.0.0.0/8'
24            - '172.16.0.0/12'
25            - '192.168.0.0/16'
26            - '169.254.0.0/16'
27    condition: selection and not filter
28falsepositives:
29    - Unknown
30level: low

References

Related rules

to-top