From 8d16ed2cc27efa75903fc0c4e02e86e84471675c Mon Sep 17 00:00:00 2001
From: Micah Babinski <m.babinski.88@gmail.com>
Date: Fri, 4 Aug 2023 17:37:54 -0700
Subject: [PATCH] Added search(-ms)/WebDAV rules

---
 .../proxy_generic/proxy_webdav_search_ms.yml  | 39 +++++++++++++++++++
 ...file_event_win_webdav_tmpfile_creation.yml | 33 ++++++++++++++++
 .../proc_creation_webdav_lnk_execution.yml    | 31 +++++++++++++++
 3 files changed, 103 insertions(+)
 create mode 100644 rules/web/proxy_generic/proxy_webdav_search_ms.yml
 create mode 100644 rules/windows/file/file_event/file_event_win_webdav_tmpfile_creation.yml
 create mode 100644 rules/windows/process_creation/proc_creation_webdav_lnk_execution.yml

diff --git a/rules/web/proxy_generic/proxy_webdav_search_ms.yml b/rules/web/proxy_generic/proxy_webdav_search_ms.yml
new file mode 100644
index 000000000..a9dbc8e5d
--- /dev/null
+++ b/rules/web/proxy_generic/proxy_webdav_search_ms.yml
@@ -0,0 +1,39 @@
+title: Search-ms and WebDAV Indicators in URL
+id: 5039f3d2-406a-4c1a-9350-7a5a85dc84c2
+status: experimental
+description: Detects URL pattern used by search(-ms)/WebDAV initial access campaign.
+references:
+    - https://www.trellix.com/en-us/about/newsroom/stories/research/beyond-file-search-a-novel-method.html
+    - https://micahbabinski.medium.com/search-ms-webdav-and-chill-99c5b23ac462
+author: Micah Babinski
+date: 2023/07/31
+modified: 2023/08/04
+tags:
+    - attack.initial_access
+    - attack.t1584
+    - attack.t1566
+logsource:
+    category: proxy
+detection:
+    selection_search_ms:
+        c-uri|contains|all:
+            - 'search' # matches on search:query= or search-ms:query=
+            - ':query='
+            - 'webdav'
+    selection_search_term:
+        c-uri|contains:
+            - 'invoice'
+            - 'payment'
+            - 'notice'
+            - 'agreement'
+            # add others!
+    filter:
+        dst_ip:
+            - '127.0.0.0/8'
+            - '10.0.0.0/8'
+            - '172.16.0.0/12'
+            - '192.168.0.0/16'
+    condition: all of selection_* and not filter
+falsepositives:
+    - Legitimate use of search-ms/search URI protocol
+level: high
\ No newline at end of file
diff --git a/rules/windows/file/file_event/file_event_win_webdav_tmpfile_creation.yml b/rules/windows/file/file_event/file_event_win_webdav_tmpfile_creation.yml
new file mode 100644
index 000000000..bb66a7962
--- /dev/null
+++ b/rules/windows/file/file_event/file_event_win_webdav_tmpfile_creation.yml
@@ -0,0 +1,33 @@
+title: WebDAV Temporary Local File Creation
+id: 4c55738d-72d8-490e-a2db-7969654e375f
+status: experimental
+description: Detects the creation of WebDAV temporary files with suspicious extensions
+references:
+    - https://www.trellix.com/en-us/about/newsroom/stories/research/beyond-file-search-a-novel-method.html
+    - https://micahbabinski.medium.com/search-ms-webdav-and-chill-99c5b23ac462
+author: Micah Babinski
+date: 2023/07/31
+modified: 2023/08/04
+tags:
+    - attack.initial_access
+    - attack.t1584
+    - attack.t1566
+logsource:
+    product: windows
+    category: file_event
+detection:
+    selection_1:
+        TargetFilename|contains: 'AppData\Local\Temp\TfsStore\Tfs_DAV'
+    selection_2:
+        TargetFilename|endswith:
+            - '.vbs'
+            - '.ps1'
+            - '.lnk'
+            - '.zip'
+            - '.ico'
+            - '.bat'
+            - '.js'
+    condition: all of selection_*
+falsepositives:
+    - Legitimate use of WebDAV in an environment
+level: low
\ No newline at end of file
diff --git a/rules/windows/process_creation/proc_creation_webdav_lnk_execution.yml b/rules/windows/process_creation/proc_creation_webdav_lnk_execution.yml
new file mode 100644
index 000000000..22d7fe5c7
--- /dev/null
+++ b/rules/windows/process_creation/proc_creation_webdav_lnk_execution.yml
@@ -0,0 +1,31 @@
+title: Suspicious WebDAV LNK Execution
+id: 1412aa78-a24c-4abd-83df-767dfb2c5bbe
+related:
+    - f0507c0f-a3a2-40f5-acc6-7f543c334993
+status: experimental
+description: Detects possible execution via LNK file accessed on a WebDAV server.
+references:
+    - https://www.trellix.com/en-us/about/newsroom/stories/research/beyond-file-search-a-novel-method.html
+    - https://micahbabinski.medium.com/search-ms-webdav-and-chill-99c5b23ac462
+author: Micah Babinski
+date: 2023/07/31
+tags:
+    - attack.execution
+    - attack.t1059.001
+    - attack.t1204
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection_img:
+        ParentImage|endswith: '\explorer.exe'
+        Image|endswith:
+            - '\wscript.exe'
+            - '\cscript.exe'
+            - '\cmd.exe'
+    selection_cmd:
+        CommandLine|contains: '\DavWWWRoot\'
+    condition: all of selection_*
+falsepositives:
+    - Unknown
+level: high
\ No newline at end of file