diff --git a/rules/web/proxy_generic/proxy_webdav_search_ms.yml b/deprecated/web/proxy_webdav_search_ms.yml similarity index 93% rename from rules/web/proxy_generic/proxy_webdav_search_ms.yml rename to deprecated/web/proxy_webdav_search_ms.yml index cf891ff93e3..242530f5955 100644 --- a/rules/web/proxy_generic/proxy_webdav_search_ms.yml +++ b/deprecated/web/proxy_webdav_search_ms.yml @@ -1,13 +1,13 @@ title: Search-ms and WebDAV Suspicious Indicators in URL id: 5039f3d2-406a-4c1a-9350-7a5a85dc84c2 -status: experimental +status: deprecated # See https://github.com/SigmaHQ/sigma/pull/4845 description: Detects URL pattern used by search(-ms)/WebDAV initial access campaigns. references: - https://www.trellix.com/en-us/about/newsroom/stories/research/beyond-file-search-a-novel-method.html - https://micahbabinski.medium.com/search-ms-webdav-and-chill-99c5b23ac462 author: Micah Babinski date: 2023/08/21 -modified: 2024/03/13 +modified: 2024/05/10 tags: - attack.initial_access - attack.t1584 @@ -40,4 +40,4 @@ detection: condition: all of selection_* and not 1 of filter_main_* falsepositives: - Unknown -level: high +level: high \ No newline at end of file diff --git a/rules-threat-hunting/windows/file/file_event/file_event_win_webdav_tmpfile_creation.yml b/rules-threat-hunting/windows/file/file_event/file_event_win_webdav_tmpfile_creation.yml index 0d5fe0d9f6b..fb9b1ad666b 100644 --- a/rules-threat-hunting/windows/file/file_event/file_event_win_webdav_tmpfile_creation.yml +++ b/rules-threat-hunting/windows/file/file_event/file_event_win_webdav_tmpfile_creation.yml @@ -1,10 +1,14 @@ title: WebDAV Temporary Local File Creation id: 4c55738d-72d8-490e-a2db-7969654e375f +related: + - id: 1ae64f96-72b6-48b3-ad3d-e71dff6c6398 + type: similar status: experimental description: Detects the creation of WebDAV temporary files with potentially suspicious extensions references: - https://www.trellix.com/en-us/about/newsroom/stories/research/beyond-file-search-a-novel-method.html - https://micahbabinski.medium.com/search-ms-webdav-and-chill-99c5b23ac462 + - https://dear-territory-023.notion.site/WebDav-Share-Testing-e4950fa0c00149c3aa430d779b9b1d0f?pvs=4 author: Micah Babinski date: 2023/08/21 tags: diff --git a/rules/web/proxy_generic/proxy_webdav_external_execution.yml b/rules/web/proxy_generic/proxy_webdav_external_execution.yml new file mode 100644 index 00000000000..162e07b85d5 --- /dev/null +++ b/rules/web/proxy_generic/proxy_webdav_external_execution.yml @@ -0,0 +1,54 @@ +title: Suspicious External WebDAV Execution +id: 1ae64f96-72b6-48b3-ad3d-e71dff6c6398 +related: + - id: 4c55738d-72d8-490e-a2db-7969654e375f + type: similar +status: experimental +description: | + Detects executables launched from external WebDAV shares using the WebDAV Explorer integration, commonly seen in initial access campaigns. +references: + - https://dear-territory-023.notion.site/WebDav-Share-Testing-e4950fa0c00149c3aa430d779b9b1d0f?pvs=4 + - https://micahbabinski.medium.com/search-ms-webdav-and-chill-99c5b23ac462 + - https://www.trendmicro.com/en_no/research/24/b/cve202421412-water-hydra-targets-traders-with-windows-defender-s.html + - https://www.trellix.com/en-us/about/newsroom/stories/research/beyond-file-search-a-novel-method.html +author: Ahmed Farouk +date: 2024/05/10 +tags: + - attack.initial_access + - attack.t1584 + - attack.t1566 +logsource: + category: proxy +detection: + selection_webdav: + c-useragent|startswith: 'Microsoft-WebDAV-MiniRedir/' + cs-method: 'GET' + selection_execution: + c-uri|endswith: + - '.7z' + - '.bat' + - '.dat' + - '.cmd' + - '.exe' + - '.js' + - '.lnk' + - '.ps1' + - '.rar' + - '.url' + - '.vbe' + - '.vbs' + - '.zip' + filter_main_local_ips: + dst_ip|cidr: + - '127.0.0.0/8' + - '10.0.0.0/8' + - '172.16.0.0/12' + - '192.168.0.0/16' + - '169.254.0.0/16' + - '::1/128' # IPv6 loopback + - 'fe80::/10' # IPv6 link-local addresses + - 'fc00::/7' # IPv6 private addresses + condition: all of selection_* and not 1 of filter_main_* +falsepositives: + - Unknown +level: high