Potentially Suspicious WebDAV LNK Execution
Detects possible execution via LNK file accessed on a WebDAV server.
Sigma rule (View on GitHub)
1title: Potentially Suspicious WebDAV LNK Execution
2id: 1412aa78-a24c-4abd-83df-767dfb2c5bbe
3related:
4 - id: f0507c0f-a3a2-40f5-acc6-7f543c334993
5 type: similar
6status: test
7description: Detects possible execution via LNK file accessed on a WebDAV server.
8references:
9 - https://www.trellix.com/en-us/about/newsroom/stories/research/beyond-file-search-a-novel-method.html
10 - https://micahbabinski.medium.com/search-ms-webdav-and-chill-99c5b23ac462
11author: Micah Babinski
12date: 2023-08-21
13tags:
14 - attack.execution
15 - attack.t1059.001
16 - attack.t1204
17logsource:
18 category: process_creation
19 product: windows
20detection:
21 selection:
22 ParentImage|endswith: '\explorer.exe'
23 Image|endswith:
24 - '\cmd.exe'
25 - '\cscript.exe'
26 - '\mshta.exe'
27 - '\powershell.exe'
28 - '\pwsh.exe'
29 - '\wscript.exe'
30 CommandLine|contains: '\DavWWWRoot\'
31 condition: selection
32falsepositives:
33 - Unknown
34level: medium
References
Related rules
- Suspicious WebDAV LNK Execution
- AWS EC2 Startup Shell Script Change
- Alternate PowerShell Hosts - PowerShell Module
- Arbitrary Shell Command Execution Via Settingcontent-Ms
- Bad Opsec Powershell Code Artifacts