
Rule Info
Tags
attack.exfiltration cve.2023.23397 attack.t1048.003 DEMO
Modified
None
Author
Nasreddine Bencherchali (Nextron Systems), Florian Roth (Nextron Systems)
Name
Suspicious WebDav Client Execution
Description
Detects "svchost.exe" spawning "rundll32.exe" with command arguments like C:\windows\system32\davclnt.dll,DavSetCookie. This could be an indicator of exfiltration or use of WebDav to launch code (hosted on WebDav Server) or potentially a sign of exploitation of CVE-2023-23397
Date
2023-03-16 00:00:00
Id
982e9f2d-1a85-4d5b-aea4-31f5e97c6555
Type
Community Rule
Link to Public Repo
Rule History
Commit
Date
Author
Title
2023-03-16
Nasreddine Bencherchali
Update proc_creation_win_rundll32_webdav_client_susp_execution.yml