← Library
sigmaDRL-1.1from SigmaHQ/sigma

WebDav Put Request

A General detection for WebDav user-agent being used to PUT files on a WebDav network share. This could be an indicator of exfiltration.

Quality
100
FP risk
Forks
0
Views
0
ATT&CK techniques
T1048.003
Rule sourcerules/network/zeek/zeek_http_webdav_put_request.yml
title: WebDav Put Request
id: 705072a5-bb6f-4ced-95b6-ecfa6602090b
status: test
description: A General detection for WebDav user-agent being used to PUT files on a WebDav network share. This could be an indicator of exfiltration.
references:
    - https://github.com/OTRF/detection-hackathon-apt29/issues/17
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
date: 2020-05-02
modified: 2024-03-13
tags:
    - attack.exfiltration
    - attack.t1048.003
logsource:
    product: zeek
    service: http
detection:
    selection:
        user_agent|contains: 'WebDAV'
        method: 'PUT'
    filter:
        id.resp_h|cidr:
            - '10.0.0.0/8'
            - '127.0.0.0/8'
            - '172.16.0.0/12'
            - '192.168.0.0/16'
            - '169.254.0.0/16'
    condition: selection and not filter
falsepositives:
    - Unknown
level: low