WebDav Client Execution Via Rundll32.EXE
Detects "svchost.exe" spawning "rundll32.exe" with command arguments like "C:\windows\system32\davclnt.dll,DavSetCookie". This could be an indicator of exfiltration or use of WebDav to launch code (hosted on a WebDav server).
Sigma rule (View on GitHub)
1title: WebDav Client Execution Via Rundll32.EXE
2id: 2dbd9d3d-9e27-42a8-b8df-f13825c6c3d5
3status: test
4description: |
5 Detects "svchost.exe" spawning "rundll32.exe" with command arguments like "C:\windows\system32\davclnt.dll,DavSetCookie".
6 This could be an indicator of exfiltration or use of WebDav to launch code (hosted on a WebDav server).
7references:
8 - https://github.com/OTRF/detection-hackathon-apt29/issues/17
9 - https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/7.B.4_C10730EA-6345-4934-AA0F-B0EFCA0C4BA6.md
10author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
11date: 2020/05/02
12modified: 2023/09/18
13tags:
14 - attack.exfiltration
15 - attack.t1048.003
16logsource:
17 category: process_creation
18 product: windows
19detection:
20 selection_parent:
21 ParentImage|endswith: '\svchost.exe'
22 selection_img:
23 - Image|endswith: '\rundll32.exe'
24 - OriginalFileName: 'RUNDLL32.EXE'
25 selection_cli:
26 CommandLine|contains: 'C:\windows\system32\davclnt.dll,DavSetCookie'
27 condition: all of selection_*
28falsepositives:
29 - Unknown
30level: medium
References
-
The attacker then collects files (T1005), which are compressed (T1002) and encrypted (T1022), before being exfiltrated to an attacker-controlled WebDAV share (T1048).
Read More -
A community-driven, open-source project to share detection logic, adversary tradecraft and resources to make detection development more efficient. - OTRF/ThreatHunter-Playbook
Read More
Related rules
- High DNS Bytes Out
- High DNS Bytes Out - Firewall
- High DNS Requests Rate
- High DNS Requests Rate - Firewall
- High NULL Records Requests Rate