Micah Babinski
39 lines
1.2 KiB
YAML
39 lines
1.2 KiB
YAML
title: Search-ms and WebDAV Indicators in URL
|
|
id: 5039f3d2-406a-4c1a-9350-7a5a85dc84c2
|
|
status: experimental
|
|
description: Detects URL pattern used by search(-ms)/WebDAV initial access campaign.
|
|
references:
|
|
- https://www.trellix.com/en-us/about/newsroom/stories/research/beyond-file-search-a-novel-method.html
|
|
- https://micahbabinski.medium.com/search-ms-webdav-and-chill-99c5b23ac462
|
|
author: Micah Babinski
|
|
date: 2023/07/31
|
|
modified: 2023/08/04
|
|
tags:
|
|
- attack.initial_access
|
|
- attack.t1584
|
|
- attack.t1566
|
|
logsource:
|
|
category: proxy
|
|
detection:
|
|
selection_search_ms:
|
|
c-uri|contains|all:
|
|
- 'search' # matches on search:query= or search-ms:query=
|
|
- ':query='
|
|
- 'webdav'
|
|
selection_search_term:
|
|
c-uri|contains:
|
|
- 'invoice'
|
|
- 'payment'
|
|
- 'notice'
|
|
- 'agreement'
|
|
# add others!
|
|
filter:
|
|
dst_ip:
|
|
- '127.0.0.0/8'
|
|
- '10.0.0.0/8'
|
|
- '172.16.0.0/12'
|
|
- '192.168.0.0/16'
|
|
condition: all of selection_* and not filter
|
|
falsepositives:
|
|
- Legitimate use of search-ms/search URI protocol
|
|
level: high |