Suspicious WebDav Client Execution Via Rundll32.EXE
Detects "svchost.exe" spawning "rundll32.exe" with command arguments like C:\windows\system32\davclnt.dll,DavSetCookie. This could be an indicator of exfiltration or use of WebDav to launch code (hosted on WebDav Server) or potentially a sign of exploitation of CVE-2023-23397
Sigma rule (View on GitHub)
1title: Suspicious WebDav Client Execution Via Rundll32.EXE
2id: 982e9f2d-1a85-4d5b-aea4-31f5e97c6555
3status: test
4description: |
5 Detects "svchost.exe" spawning "rundll32.exe" with command arguments like C:\windows\system32\davclnt.dll,DavSetCookie. This could be an indicator of exfiltration or use of WebDav to launch code (hosted on WebDav Server) or potentially a sign of exploitation of CVE-2023-23397
6references:
7 - https://twitter.com/aceresponder/status/1636116096506818562
8 - https://www.mdsec.co.uk/2023/03/exploiting-cve-2023-23397-microsoft-outlook-elevation-of-privilege-vulnerability/
9 - https://www.pwndefend.com/2023/03/15/the-long-game-persistent-hash-theft/
10 - https://www.microsoft.com/en-us/security/blog/wp-content/uploads/2023/03/Figure-7-sample-webdav-process-create-event.png
11 - https://www.microsoft.com/en-us/security/blog/2023/03/24/guidance-for-investigating-attacks-using-cve-2023-23397/
12author: Nasreddine Bencherchali (Nextron Systems), Florian Roth (Nextron Systems)
13date: 2023-03-16
14modified: 2023-09-18
15tags:
16 - attack.exfiltration
17 - attack.t1048.003
18 - cve.2023-23397
19logsource:
20 category: process_creation
21 product: windows
22detection:
23 selection:
24 ParentImage|endswith: '\svchost.exe'
25 ParentCommandLine|contains: '-s WebClient'
26 Image|endswith: '\rundll32.exe'
27 CommandLine|contains: 'C:\windows\system32\davclnt.dll,DavSetCookie'
28 CommandLine|re: '://\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}'
29 filter_local_ips:
30 CommandLine|contains:
31 - '://10.' # 10.0.0.0/8
32 - '://192.168.' # 192.168.0.0/16
33 - '://172.16.' # 172.16.0.0/12
34 - '://172.17.'
35 - '://172.18.'
36 - '://172.19.'
37 - '://172.20.'
38 - '://172.21.'
39 - '://172.22.'
40 - '://172.23.'
41 - '://172.24.'
42 - '://172.25.'
43 - '://172.26.'
44 - '://172.27.'
45 - '://172.28.'
46 - '://172.29.'
47 - '://172.30.'
48 - '://172.31.'
49 - '://127.' # 127.0.0.0/8
50 - '://169.254.' # 169.254.0.0/16
51 condition: selection and not 1 of filter_*
52falsepositives:
53 - Unknown
54level: high
References
Related rules
- Data Exfiltration with Wget
- Potential CVE-2023-23397 Exploitation Attempt - SMB
- PowerShell ICMP Exfiltration
- Powershell Exfiltration Over SMTP
- Suspicious DNS Query with B64 Encoded String