security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity
Files
889efd1663f0781e110f32e8e81e88a311e6c500
blue-team-tools/rules/web/proxy_generic/proxy_webdav_search_ms.yml
T
phantinuss 188236a4eb Merge PR #4393 from @phantinuss - use explicit CIDR notation for loopback 
fix: Search-ms and WebDAV Suspicious Indicators in URL - use explicit CIDR notation for loopback
2023-08-25 10:29:04 +02:00

43 lines
1.3 KiB
YAML
Raw Blame History

title: Search-ms and WebDAV Suspicious Indicators in URL
id: 5039f3d2-406a-4c1a-9350-7a5a85dc84c2
status: experimental
description: Detects URL pattern used by search(-ms)/WebDAV initial access campaigns.
references:
- https://www.trellix.com/en-us/about/newsroom/stories/research/beyond-file-search-a-novel-method.html
- https://micahbabinski.medium.com/search-ms-webdav-and-chill-99c5b23ac462
author: Micah Babinski
date: 2023/08/21
modified: 2023/08/25
tags:
- attack.initial_access
- attack.t1584
- attack.t1566
logsource:
category: proxy
detection:
selection_search_ms:
c-uri|contains|all:
- 'search' # Matches on search:query= or search-ms:query=
- ':query='
- 'webdav'
selection_search_term:
c-uri|contains:
# Note: Add additional keywords for additional coverage
- 'agreement'
- 'invoice'
- 'notice'
- 'payment'
filter_main_local_ips:
dst_ip|cidr:
- '127.0.0.0/8'
- '10.0.0.0/8'
- '172.16.0.0/12'
- '192.168.0.0/16'
- '::1/128' # IPv6 loopback
- 'fe80::/10' # IPv6 link-local addresses
- 'fc00::/7' # IPv6 private addresses
condition: all of selection_* and not 1 of filter_main_*
falsepositives:
- Unknown
level: high
Reference in New Issue View Git Blame Copy Permalink