Search-ms and WebDAV Suspicious Indicators in URL
Detects URL pattern used by search(-ms)/WebDAV initial access campaigns.
Sigma rule (View on GitHub)
1title: Search-ms and WebDAV Suspicious Indicators in URL
2id: 5039f3d2-406a-4c1a-9350-7a5a85dc84c2
3status: experimental
4description: Detects URL pattern used by search(-ms)/WebDAV initial access campaigns.
5references:
6 - https://www.trellix.com/en-us/about/newsroom/stories/research/beyond-file-search-a-novel-method.html
7 - https://micahbabinski.medium.com/search-ms-webdav-and-chill-99c5b23ac462
8author: Micah Babinski
9date: 2023/08/21
10modified: 2023/08/25
11tags:
12 - attack.initial_access
13 - attack.t1584
14 - attack.t1566
15logsource:
16 category: proxy
17detection:
18 selection_search_ms:
19 c-uri|contains|all:
20 - 'search' # Matches on search:query= or search-ms:query=
21 - ':query='
22 - 'webdav'
23 selection_search_term:
24 c-uri|contains:
25 # Note: Add additional keywords for additional coverage
26 - 'agreement'
27 - 'invoice'
28 - 'notice'
29 - 'payment'
30 filter_main_local_ips:
31 dst_ip|cidr:
32 - '127.0.0.0/8'
33 - '10.0.0.0/8'
34 - '172.16.0.0/12'
35 - '192.168.0.0/16'
36 - '::1/128' # IPv6 loopback
37 - 'fe80::/10' # IPv6 link-local addresses
38 - 'fc00::/7' # IPv6 private addresses
39 condition: all of selection_* and not 1 of filter_main_*
40falsepositives:
41 - Unknown
42level: high
References
-
Join us as we delve into the mysterious world of the "search" or "search-ms" URI protocol attack. Threat actors craft deceptive emails and compromised websites to trick users into executing malicious code disguised as trusted files.
Read More -
Related rules
- Search-ms and WebDAV Indicators in URL
- WebDAV Temporary Local File Creation
- Download From Suspicious TLD - Blacklist
- Download From Suspicious TLD - Whitelist
- Yellow Cockatoo PowerShell Suspicious .NET Methods (RedCanary Threat Detection Report)