Suspicious External WebDAV Execution

Rule Info

Name
Suspicious External WebDAV Execution
Author
Ahmed Farouk
Description
Detects executables launched from external WebDAV shares using the WebDAV Explorer integration, commonly seen in initial access campaigns.
Reference
https://dear-territory-023.notion.site/WebDav-Share-Testing-e4950fa0c00149c3aa430d779b9b1d0f?pvs=4
Date
2024-05-10 00:00:00
Modified
None
Id
1ae64f96-72b6-48b3-ad3d-e71dff6c6398
Tags
attack.initial_access attack.t1584 attack.t1566 DEMO
Type
Community Rule
Link to Public Repo
https://github.com/SigmaHQ/sigma/search?q=1ae64f96-72b6-48b3-ad3d-e71dff6c6398

Rule History

Author
Title
Date
Commit
Ahmed Farouk
Merge PR #4845 from @ahmedfarou22 - Proxy WebDAV Rule Improvements/New Rule
2024-05-10
b175b1503
THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022