Suspicious WebDav Client Execution Via Rundll32.EXE

Rule Info

Name
Suspicious WebDav Client Execution Via Rundll32.EXE
Author
Nasreddine Bencherchali (Nextron Systems), Florian Roth (Nextron Systems)
Description
Detects "svchost.exe" spawning "rundll32.exe" with command arguments like C:\windows\system32\davclnt.dll,DavSetCookie. This could be an indicator of exfiltration or use of WebDav to launch code (hosted on WebDav Server) or potentially a sign of exploitation of CVE-2023-23397
Reference
https://twitter.com/aceresponder/status/1636116096506818562
Date
2023-03-16 00:00:00
Modified
2023-09-18 00:00:00
Id
982e9f2d-1a85-4d5b-aea4-31f5e97c6555
Tags
attack.exfiltration attack.t1048.003 cve.2023.23397 DEMO
Type
Community Rule
Link to Public Repo
https://github.com/SigmaHQ/sigma/search?q=982e9f2d-1a85-4d5b-aea4-31f5e97c6555

Rule History

Author
Title
Date
Commit
Nasreddine Bencherchali
Merge PR #4482 From @nasbench - Add New Automation Workflows
2023-10-18
95793d73b
Nasreddine Bencherchali
Merge PR #4427 from @nasbench - Multiple Fixes & Enhancements
2023-10-04
e230acd7e
Nasreddine Bencherchali
feat: new rules, updates and fp fixes (#4162)
2023-04-11
2710bf471
Florian Roth
fix: removed unnecessary escapes
2023-03-16
0ebbd09ab
Florian Roth
fix: regular expression
2023-03-16
e4864b43d
Nasreddine Bencherchali
Update proc_creation_win_rundll32_webdav_client_susp_execution.yml
2023-03-16
4287d790a
Nasreddine Bencherchali
fix: escape slashes
2023-03-16
5ca7978eb
Nasreddine Bencherchali
fix: enhance selection
2023-03-16
49a43832c
Nasreddine Bencherchali
fix: ip regex
2023-03-16
db62085f7
Nasreddine Bencherchali
feat: add new rules related to `CVE-2023-23397`
2023-03-16
5b14835a3
THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022