Suspicious WebDav Client Execution Via Rundll32.EXE

 1title: Suspicious WebDav Client Execution Via Rundll32.EXE
 2id: 982e9f2d-1a85-4d5b-aea4-31f5e97c6555
 3status: experimental
 4description: |
 5        Detects "svchost.exe" spawning "rundll32.exe" with command arguments like C:\windows\system32\davclnt.dll,DavSetCookie. This could be an indicator of exfiltration or use of WebDav to launch code (hosted on WebDav Server) or potentially a sign of exploitation of CVE-2023-23397
 6references:
 7    - https://twitter.com/aceresponder/status/1636116096506818562
 8    - https://www.mdsec.co.uk/2023/03/exploiting-cve-2023-23397-microsoft-outlook-elevation-of-privilege-vulnerability/
 9    - https://www.pwndefend.com/2023/03/15/the-long-game-persistent-hash-theft/
10    - https://www.microsoft.com/en-us/security/blog/wp-content/uploads/2023/03/Figure-7-sample-webdav-process-create-event.png
11    - https://www.microsoft.com/en-us/security/blog/2023/03/24/guidance-for-investigating-attacks-using-cve-2023-23397/
12author: Nasreddine Bencherchali (Nextron Systems), Florian Roth (Nextron Systems)
13date: 2023/03/16
14modified: 2023/09/18
15tags:
16    - attack.exfiltration
17    - attack.t1048.003
18    - cve.2023.23397
19logsource:
20    category: process_creation
21    product: windows
22detection:
23    selection:
24        ParentImage|endswith: '\svchost.exe'
25        ParentCommandLine|contains: '-s WebClient'
26        Image|endswith: '\rundll32.exe'
27        CommandLine|contains: 'C:\windows\system32\davclnt.dll,DavSetCookie'
28        CommandLine|re: '://\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}'
29    filter_local_ips:
30        CommandLine|contains:
31            - '://10.' # 10.0.0.0/8
32            - '://192.168.' # 192.168.0.0/16
33            - '://172.16.' # 172.16.0.0/12
34            - '://172.17.'
35            - '://172.18.'
36            - '://172.19.'
37            - '://172.20.'
38            - '://172.21.'
39            - '://172.22.'
40            - '://172.23.'
41            - '://172.24.'
42            - '://172.25.'
43            - '://172.26.'
44            - '://172.27.'
45            - '://172.28.'
46            - '://172.29.'
47            - '://172.30.'
48            - '://172.31.'
49            - '://127.' # 127.0.0.0/8
50            - '://169.254.' # 169.254.0.0/16
51    condition: selection and not 1 of filter_*
52falsepositives:
53    - Unknown
54level: high

References

• Something went wrong, but don’t fret — let’s give it another shot.

  
  Read More

• Exploiting CVE-2023-23397: Microsoft Outlook Elevation of Privilege Vulnerability - MDSec

  

  Date: 14th March 2023 Today saw Microsoft patch an interesting vulnerability in Microsoft Outlook. The vulnerability is described as follows: Microsoft Office Outlook contains a privilege escalation vulnerability that allows...

  
  Read More

• The Long Game: Persistent Hash Theft

  

  CVE-2023-23397 enables a threat actor to send a calendar invite whereby the properties of the msg file can include a path for the reminder sound file. This is achieved by setting: ReminderOverrideD...

  
  Read More

• https://www.microsoft.com/en-us/security/blog/wp-content/uploads/2023/03/Figure-7-sample-webdav-process-create-event.png

  
  Read More

• https://www.microsoft.com/en-us/security/blog/2023/03/24/guidance-for-investigating-attacks-using-cve-2023-23397/

  
  Read More

Related rules

• Powershell Exfiltration Over SMTP
• Suspicious Outbound SMTP Connections
• WebDav Client Execution Via Rundll32.EXE
• High DNS Bytes Out
• High DNS Bytes Out - Firewall