← Library
sigmaDRL-1.1from SigmaHQ/sigma

Executable from Webdav

Detects executable access via webdav6. Can be seen in APT 29 such as from the emulated APT 29 hackathon https://github.com/OTRF/detection-hackathon-apt29/

Quality
100
FP risk
Forks
0
Views
0
ATT&CK techniques
T1105
Rule sourcerules/network/zeek/zeek_http_executable_download_from_webdav.yml
title: Executable from Webdav
id: aac2fd97-bcba-491b-ad66-a6edf89c71bf
status: test
description: 'Detects executable access via webdav6. Can be seen in APT 29 such as from the emulated APT 29 hackathon https://github.com/OTRF/detection-hackathon-apt29/'
references:
    - http://carnal0wnage.attackresearch.com/2012/06/webdav-server-to-download-custom.html
    - https://github.com/OTRF/detection-hackathon-apt29
author: 'SOC Prime, Adam Swan'
date: 2020-05-01
modified: 2021-11-27
tags:
    - attack.command-and-control
    - attack.t1105
logsource:
    product: zeek
    service: http
detection:
    selection_webdav:
        - c-useragent|contains: 'WebDAV'
        - c-uri|contains: 'webdav'
    selection_executable:
        - resp_mime_types|contains: 'dosexec'
        - c-uri|endswith: '.exe'
    condition: selection_webdav and selection_executable
falsepositives:
    - Unknown
level: medium