Rare Connection to WebDAV Target

Identifies rare connection attempts to a Web Distributed Authoring and Versioning (WebDAV) resource. Attackers may inject WebDAV paths in files or features opened by a victim user to leak their NTLM credentials via forced authentication.

Rule type: esql
Rule indices:

Rule Severity: medium
Risk Score: 47
Runs every:
Searches indices from: now-3660s
Maximum alerts per execution: ?
References:

https://attack.mitre.org/techniques/T1187/

Tags:

Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Credential Access
Data Source: Elastic Defend
Data Source: Windows Security Event Logs
Data Source: Microsoft Defender for Endpoint
Data Source: Crowdstrike
Resources: Investigation Guide

Version: ?
Rule authors:

Elastic

Rule license: Elastic License v2

Investigation guide

Triage and analysis

Investigating Rare Connection to WebDAV Target

Possible investigation steps

Examine the reputation of the destination domain or IP address.
Verify if the target user opened any attachments or clicked links pointing to the same target within seconds from the alert timestamp.
Correlate the findings with other security logs and alerts to identify any patterns or additional indicators of compromise related to the potential relay attack.

False positive analysis

User accessing legit WebDAV resources.

Response and remediation

Conduct a password reset for the target account that may have been compromised or are at risk, ensuring the use of strong, unique passwords.
Verify whether other users were targeted but did not open the lure..
Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine the full scope of the breach.
Conduct a post-incident review to identify any gaps in security controls and update policies or procedures to prevent recurrence, ensuring lessons learned are applied to improve overall security posture.

Rule Query

		from logs-*
| where
    @timestamp > now() - 8 hours and
    event.category == "process" and
    event.type == "start" and
    process.name == "rundll32.exe" and
    process.command_line like "*DavSetCookie*"
| keep host.id, process.command_line, user.name
| grok
    process.command_line """(?<Esql.server_webdav_cookie>DavSetCookie .* http)"""
| eval
    Esql.server_webdav_cookie_replace = replace(Esql.server_webdav_cookie, "(DavSetCookie | http)", "")
| where
    Esql.server_webdav_cookie_replace is not null and
    Esql.server_webdav_cookie_replace rlike """(([a-zA-Z0-9-]+\.)+[a-zA-Z]{2,3}(@SSL.*)*|(\d{1,3}\.){3}\d{1,3})""" and
    not Esql.server_webdav_cookie_replace in ("www.google.com@SSL", "www.elastic.co@SSL") and
    not Esql.server_webdav_cookie_replace rlike """(10\.(\d{1,3}\.){2}\d{1,3}|172\.(1[6-9]|2\d|3[0-1])\.(\d{1,3}\.)\d{1,3}|192\.168\.(\d{1,3}\.)\d{1,3})"""
| stats
    Esql.event_count = count(*),
    Esql.host_id_count_distinct = count_distinct(host.id),
    Esql.host_id_values = values(host.id),
    Esql.user_name_values = values(user.name)
  by Esql.server_webdav_cookie_replace
| where
    Esql.host_id_count_distinct == 1 and
    Esql.event_count <= 3
		
	

Framework: MITRE ATT&CK

Tactic:
- Name: Credential Access
- Id: TA0006
- Reference URL: https://attack.mitre.org/tactics/TA0006/
Technique:
- Name: Forced Authentication
- Id: T1187
- Reference URL: https://attack.mitre.org/techniques/T1187/