Suspicious WebDav Client Execution

Rule Info

Tags
attack.exfiltration cve.2023.23397 attack.t1048.003 DEMO
Modified
None
Author
Nasreddine Bencherchali (Nextron Systems), Florian Roth (Nextron Systems)
Name
Suspicious WebDav Client Execution
Description
Detects "svchost.exe" spawning "rundll32.exe" with command arguments like C:\windows\system32\davclnt.dll,DavSetCookie. This could be an indicator of exfiltration or use of WebDav to launch code (hosted on WebDav Server) or potentially a sign of exploitation of CVE-2023-23397
Date
2023-03-16 00:00:00
Reference
https://twitter.com/aceresponder/status/1636116096506818562
Id
982e9f2d-1a85-4d5b-aea4-31f5e97c6555
Type
Community Rule
Link to Public Repo
https://github.com/SigmaHQ/sigma/search?q=982e9f2d-1a85-4d5b-aea4-31f5e97c6555

Rule History

Commit
Date
Author
Title
0ebbd09ab
2023-03-16
Florian Roth
fix: removed unnecessary escapes
e4864b43d
2023-03-16
Florian Roth
fix: regular expression
4287d790a
2023-03-16
Nasreddine Bencherchali
Update proc_creation_win_rundll32_webdav_client_susp_execution.yml
5ca7978eb
2023-03-16
Nasreddine Bencherchali
fix: escape slashes
49a43832c
2023-03-16
Nasreddine Bencherchali
fix: enhance selection
db62085f7
2023-03-16
Nasreddine Bencherchali
fix: ip regex
5b14835a3
2023-03-16
Nasreddine Bencherchali
feat: add new rules related to `CVE-2023-23397`
THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022