
Rule Info
Name
Suspicious WebDav Client Execution Via Rundll32.EXE
Author
Nasreddine Bencherchali (Nextron Systems), Florian Roth (Nextron Systems)
Description
Detects "svchost.exe" spawning "rundll32.exe" with command arguments like C:\windows\system32\davclnt.dll,DavSetCookie. This could be an indicator of exfiltration or use of WebDav to launch code (hosted on WebDav Server) or potentially a sign of exploitation of CVE-2023-23397
Date
2023-03-16 00:00:00
Modified
2023-09-18 00:00:00
Id
982e9f2d-1a85-4d5b-aea4-31f5e97c6555
Tags
attack.exfiltration attack.t1048.003 cve.2023-23397
Type
Community Rule
Link to Public Repo
Rule History
Author
Title
Date
Commit
Nasreddine Bencherchali
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12
github-actions[bot]
Merge PR #4942 from @nasbench - promote older rules status from experimental to test
2024-08-01
Nasreddine Bencherchali
Merge PR #4482 From @nasbench - Add New Automation Workflows
2023-10-18
Nasreddine Bencherchali
Merge PR #4427 from @nasbench - Multiple Fixes & Enhancements
2023-10-04
Nasreddine Bencherchali
Update proc_creation_win_rundll32_webdav_client_susp_execution.yml
2023-03-16