Potentially Suspicious WebDAV LNK Execution

Detects possible execution via LNK file accessed on a WebDAV server.

Sigma rule (View on GitHub)

 1title: Potentially Suspicious WebDAV LNK Execution
 2id: 1412aa78-a24c-4abd-83df-767dfb2c5bbe
 3related:
 4    - id: f0507c0f-a3a2-40f5-acc6-7f543c334993
 5      type: similar
 6status: test
 7description: Detects possible execution via LNK file accessed on a WebDAV server.
 8references:
 9    - https://www.trellix.com/en-us/about/newsroom/stories/research/beyond-file-search-a-novel-method.html
10    - https://micahbabinski.medium.com/search-ms-webdav-and-chill-99c5b23ac462
11author: Micah Babinski
12date: 2023-08-21
13tags:
14    - attack.execution
15    - attack.t1059.001
16    - attack.t1204
17logsource:
18    category: process_creation
19    product: windows
20detection:
21    selection:
22        ParentImage|endswith: '\explorer.exe'
23        Image|endswith:
24            - '\cmd.exe'
25            - '\cscript.exe'
26            - '\mshta.exe'
27            - '\powershell.exe'
28            - '\pwsh.exe'
29            - '\wscript.exe'
30        CommandLine|contains: '\DavWWWRoot\'
31    condition: selection
32falsepositives:
33    - Unknown
34level: medium

References

Related rules

to-top