trusted webdav content when the command namespace, parent, utility identity, signer, user/host scope, and child/artifact/destination evidence align with a recognized workflow

t1021
t1071
t1105
t1204
t1570
windows
elastic

Techniques

T1021
T1071
T1105
T1204
T1570

Sample rules

source: elastic
technicques:
- T1021
- T1071
- T1105
- T1204
- T1570

Description

Identifies attempts to execute or invoke content from remote WebDAV shares. Adversaries may abuse WebDAV paths, public tunnels, or host@port UNC paths to run tools or scripts while reducing local staging on the victim file system.

Detection logic

process where host.os.type == "windows" and event.type == "start" and
 process.name : ("cmd.exe", "powershell.exe", "conhost.exe", "wscript.exe", "mshta.exe", "curl.exe", "msiexec.exe", "bitsadmin.exe", "net.exe") and
 process.command_line : ("*trycloudflare.com*", "*@SSL\\*", "*\\webdav\\*", "*\\DavWWWRoot\\*", "*\\\\*.*@8080\\*", "*\\\\*.*@80\\*", "*\\\\*.*@8443\\*", "*\\\\*.*@443\\*") and
 not (process.name : "cmd.exe" and process.args : "\\\\?\\UNC\\*.sharepoint.com@SSL\\DavWWWRoot\\*")

Techniques

Sample rules

Suspicious Execution from a WebDav Share

Description

Detection logic