LoFP LoFP / false positives will be present based on legitimate software, filtering may need to occur.

Techniques

Sample rules

Windows Rundll32 WebDAV Request

Description

The following analytic identifies rundll32.exe with the commandline arguments loading davclnt.dll function - davsetcookie - to be used to access a remote WebDav instance. This particular behavior was recently showcased in CVE-2023-23397.

Detection logic


| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=rundll32.exe Processes.process IN ("*\\windows\\system32\\davclnt.dll,*davsetcookie*","*\\windows\\syswow64\\davclnt.dll,*davsetcookie*") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id 
| `drop_dm_object_name(Processes)` 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `windows_rundll32_webdav_request_filter`

Windows Rundll32 WebDav With Network Connection

Description

The following analytic identifies rundll32.exe with the commandline arguments loading davclnt.dll function - davsetcookie - to be used to access a remote WebDav instance. The analytic attempts to use join from Processes and All_Traffic to identify the network connection. This particular behavior was recently showcased in CVE-2023-23397.

Detection logic


| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes where Processes.parent_process_name=svchost.exe `process_rundll32` Processes.process IN ("*\\windows\\system32\\davclnt.dll,*davsetcookie*", "*\\windows\\syswow64\\davclnt.dll,*davsetcookie*") by host _time span=1h Processes.process_id Processes.process_name Processes.dest Processes.process_path Processes.process Processes.parent_process_name Processes.parent_process 
| `drop_dm_object_name(Processes)` 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| rename dest as src 
| join host process_id [ 
| tstats `security_content_summariesonly` count latest(All_Traffic.dest) as dest latest(All_Traffic.dest_ip) as dest_ip latest(All_Traffic.dest_port) as dest_port FROM datamodel=Network_Traffic.All_Traffic where All_Traffic.dest_port!=0 NOT (All_Traffic.dest_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16))  by host All_Traffic.process_id 
| `drop_dm_object_name(All_Traffic)`] 
| `windows_rundll32_webdav_with_network_connection_filter`