Suspicious WebDav Client Execution Via Rundll32.EXE

Rule Info

Name

Suspicious WebDav Client Execution Via Rundll32.EXE

Author

Nasreddine Bencherchali (Nextron Systems), Florian Roth (Nextron Systems)

Description

Detects "svchost.exe" spawning "rundll32.exe" with command arguments like C:\windows\system32\davclnt.dll,DavSetCookie. This could be an indicator of exfiltration or use of WebDav to launch code (hosted on WebDav Server) or potentially a sign of exploitation of CVE-2023-23397

Reference

https://twitter.com/aceresponder/status/1636116096506818562

Date

2023-03-16 00:00:00

Modified

2023-09-18 00:00:00

Id

982e9f2d-1a85-4d5b-aea4-31f5e97c6555

Tags

attack.exfiltration attack.t1048.003 cve.2023-23397

Type

Community Rule

Link to Public Repo

https://github.com/SigmaHQ/sigma/search?q=982e9f2d-1a85-4d5b-aea4-31f5e97c6555

Rule History

Author

Title

Date

Commit

Nasreddine Bencherchali

Merge PR #4950 from @nasbench - Comply With v2 Spec Changes

2024-08-12

github-actions[bot]

Merge PR #4942 from @nasbench - promote older rules status from experimental to test

2024-08-01

Nasreddine Bencherchali

Merge PR #4482 From @nasbench - Add New Automation Workflows

2023-10-18

Nasreddine Bencherchali

Merge PR #4427 from @nasbench - Multiple Fixes & Enhancements

2023-10-04

Nasreddine Bencherchali

feat: new rules, updates and fp fixes (#4162)

2023-04-11

Florian Roth

fix: removed unnecessary escapes

2023-03-16

Florian Roth

fix: regular expression

2023-03-16

Nasreddine Bencherchali

Update proc_creation_win_rundll32_webdav_client_susp_execution.yml

2023-03-16

Nasreddine Bencherchali

fix: escape slashes

2023-03-16

Nasreddine Bencherchali

fix: enhance selection

2023-03-16

Nasreddine Bencherchali

fix: ip regex

2023-03-16

Nasreddine Bencherchali

feat: add new rules related to `CVE-2023-23397`

2023-03-16