Windows WebDAV User Agent

 1title: Windows WebDAV User Agent
 2id: e09aed7a-09e0-4c9a-90dd-f0d52507347e
 3status: test
 4description: Detects WebDav DownloadCradle
 5references:
 6    - https://mgreen27.github.io/posts/2018/04/02/DownloadCradle.html
 7author: Florian Roth (Nextron Systems)
 8date: 2018/04/06
 9modified: 2021/11/27
10tags:
11    - attack.command_and_control
12    - attack.t1071.001
13logsource:
14    category: proxy
15detection:
16    selection:
17        c-useragent|startswith: 'Microsoft-WebDAV-MiniRedir/'
18        cs-method: 'GET'
19    condition: selection
20falsepositives:
21    - Administrative scripts that download files from the Internet
22    - Administrative scripts that retrieve certain website contents
23    - Legitimate WebDAV administration
24level: high

References

• Powershell Download Cradles

  

  A blog for DFIR thoughts, research and for my future reference

  
  Read More

Related rules

• APT40 Dropbox Tool User Agent
• Chafer Malware URL Pattern
• ComRAT Network Communication
• HTTP Request With Empty User Agent
• HackTool - BabyShark Agent Default URL Pattern