IMPORTANT: No additional bug fixes or documentation updates will be released for this version. For the latest information, see the current release documentation.
« Rare AWS Error Code Rare SMB Connection to the Internet »
Elastic Docs Elastic Security [8.18] Detections and alerts Prebuilt rule reference

Rare Connection to WebDAV Target

edit
A newer version is available. Check out the latest documentation.

Rare Connection to WebDAV Target

edit

Identifies rare connection attempts to a Web Distributed Authoring and Versioning (WebDAV) resource. Attackers may inject WebDAV paths in files or features opened by a victim user to leak their NTLM credentials via forced authentication.

Rule type: esql

Rule indices: None

Severity: medium

Risk score: 47

Runs every: 5m

Searches indices from: now-3660s (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

  • Domain: Endpoint
  • OS: Windows
  • Use Case: Threat Detection
  • Tactic: Credential Access
  • Data Source: Elastic Defend
  • Data Source: Windows Security Event Logs
  • Data Source: Microsoft Defender for Endpoint
  • Data Source: Crowdstrike
  • Resources: Investigation Guide

Version: 2

Rule authors:

  • Elastic

Rule license: Elastic License v2

Investigation guide

edit

Triage and analysis

Investigating Rare Connection to WebDAV Target

Possible investigation steps

  • Examine the reputation of the destination domain or IP address.
  • Verify if the target user opened any attachments or clicked links pointing to the same target within seconds from the alert timestamp.
  • Correlate the findings with other security logs and alerts to identify any patterns or additional indicators of compromise related to the potential relay attack.

False positive analysis

  • User accessing legit WebDAV resources.

Response and remediation

  • Conduct a password reset for the target account that may have been compromised or are at risk, ensuring the use of strong, unique passwords.
  • Verify whether other users were targeted but did not open the lure..
  • Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine the full scope of the breach.
  • Conduct a post-incident review to identify any gaps in security controls and update policies or procedures to prevent recurrence, ensuring lessons learned are applied to improve overall security posture.

Rule query

edit
from logs-*
| where
    @timestamp > now() - 8 hours and
    event.category == "process" and
    event.type == "start" and
    process.name == "rundll32.exe" and
    process.command_line like "*DavSetCookie*"
| keep host.id, process.command_line, user.name
| grok
    process.command_line """(?<Esql.server_webdav_cookie>DavSetCookie .* http)"""
| eval
    Esql.server_webdav_cookie_replace = replace(Esql.server_webdav_cookie, "(DavSetCookie | http)", "")
| where
    Esql.server_webdav_cookie_replace is not null and
    Esql.server_webdav_cookie_replace rlike """(([a-zA-Z0-9-]+\.)+[a-zA-Z]{2,3}(@SSL.*)*|(\d{1,3}\.){3}\d{1,3})""" and
    not Esql.server_webdav_cookie_replace in ("www.google.com@SSL", "www.elastic.co@SSL") and
    not Esql.server_webdav_cookie_replace rlike """(10\.(\d{1,3}\.){2}\d{1,3}|172\.(1[6-9]|2\d|3[0-1])\.(\d{1,3}\.)\d{1,3}|192\.168\.(\d{1,3}\.)\d{1,3})"""
| stats
    Esql.event_count = count(*),
    Esql.host_id_count_distinct = count_distinct(host.id),
    Esql.host_id_values = values(host.id),
    Esql.user_name_values = values(user.name)
  by Esql.server_webdav_cookie_replace
| where
    Esql.host_id_count_distinct == 1 and
    Esql.event_count <= 3

Framework: MITRE ATT&CKTM

« Rare AWS Error Code Rare SMB Connection to the Internet »