Rare Connection to WebDAV Target

IMPORTANT: This documentation is no longer updated. Refer to Elastic's version policy and the latest documentation.

Rare Connection to WebDAV Target

Identifies rare connection attempts to a Web Distributed Authoring and Versioning (WebDAV) resource. Attackers may inject WebDAV paths in files or features opened by a victim user to leak their NTLM credentials via forced authentication.

Rule type: esql

Rule indices: None

Severity: medium

Risk score: 47

Runs every: 5m

Searches indices from: now-3660s (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

https://attack.mitre.org/techniques/T1187/

Tags:

Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Credential Access
Data Source: Elastic Defend
Data Source: Windows Security Event Logs
Data Source: Microsoft Defender for Endpoint
Data Source: Crowdstrike
Resources: Investigation Guide

Version: 2

Rule authors:

Elastic

Rule license: Elastic License v2

Investigation guide

edit

Triage and analysis

Investigating Rare Connection to WebDAV Target

Possible investigation steps

Examine the reputation of the destination domain or IP address.
Verify if the target user opened any attachments or clicked links pointing to the same target within seconds from the alert timestamp.
Correlate the findings with other security logs and alerts to identify any patterns or additional indicators of compromise related to the potential relay attack.

False positive analysis

User accessing legit WebDAV resources.

Response and remediation

Conduct a password reset for the target account that may have been compromised or are at risk, ensuring the use of strong, unique passwords.
Verify whether other users were targeted but did not open the lure..
Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine the full scope of the breach.
Conduct a post-incident review to identify any gaps in security controls and update policies or procedures to prevent recurrence, ensuring lessons learned are applied to improve overall security posture.

Rule query

edit

from logs-*
| where
    @timestamp > now() - 8 hours and
    event.category == "process" and
    event.type == "start" and
    process.name == "rundll32.exe" and
    process.command_line like "*DavSetCookie*"
| keep host.id, process.command_line, user.name
| grok
    process.command_line """(?<Esql.server_webdav_cookie>DavSetCookie .* http)"""
| eval
    Esql.server_webdav_cookie_replace = replace(Esql.server_webdav_cookie, "(DavSetCookie | http)", "")
| where
    Esql.server_webdav_cookie_replace is not null and
    Esql.server_webdav_cookie_replace rlike """(([a-zA-Z0-9-]+\.)+[a-zA-Z]{2,3}(@SSL.*)*|(\d{1,3}\.){3}\d{1,3})""" and
    not Esql.server_webdav_cookie_replace in ("www.google.com@SSL", "www.elastic.co@SSL") and
    not Esql.server_webdav_cookie_replace rlike """(10\.(\d{1,3}\.){2}\d{1,3}|172\.(1[6-9]|2\d|3[0-1])\.(\d{1,3}\.)\d{1,3}|192\.168\.(\d{1,3}\.)\d{1,3})"""
| stats
    Esql.event_count = count(*),
    Esql.host_id_count_distinct = count_distinct(host.id),
    Esql.host_id_values = values(host.id),
    Esql.user_name_values = values(user.name)
  by Esql.server_webdav_cookie_replace
| where
    Esql.host_id_count_distinct == 1 and
    Esql.event_count <= 3

Framework: MITRE ATT&CK^TM

Tactic:
- Name: Credential Access
- ID: TA0006
- Reference URL: https://attack.mitre.org/tactics/TA0006/
Technique:
- Name: Forced Authentication
- ID: T1187
- Reference URL: https://attack.mitre.org/techniques/T1187/

« Rare AWS Error Code Rare SMB Connection to the Internet »