From 8ddd40e18ea8a1b48e22ec68c3c6907fa48c6ee7 Mon Sep 17 00:00:00 2001
From: Florian Roth <florian.roth@bsk-consulting.de>
Date: Mon, 9 Apr 2018 08:36:56 +0200
Subject: [PATCH] PowerShell Cradle - WebDAV UA

---
 .../proxy_powershell_download_webdav.yml      | 21 +++++++++++++++++++
 1 file changed, 21 insertions(+)
 create mode 100644 rules/proxy/proxy_powershell_download_webdav.yml

diff --git a/rules/proxy/proxy_powershell_download_webdav.yml b/rules/proxy/proxy_powershell_download_webdav.yml
new file mode 100644
index 000000000..2d428561c
--- /dev/null
+++ b/rules/proxy/proxy_powershell_download_webdav.yml
@@ -0,0 +1,21 @@
+title: Windows PowerShell WebDav User Agent
+status: experimental
+description: Detects Windows PowerShell Web Access
+references:
+    - https://mgreen27.github.io/posts/2018/04/02/DownloadCradle.html
+author: Florian Roth
+date: 2018/04/06
+logsource:
+    category: proxy
+detection:
+    selection:
+      UserAgent: 'Microsoft-WebDAV-MiniRedir/*'
+    condition: selection
+fields:
+    - ClientIP
+    - URL
+    - UserAgent
+falsepositives:
+    - Administrative scripts that download files from the Internet
+    - Administrative scripts that retrieve certain website contents
+level: high