security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
effb2a833713afba2902c5a03dc316207b2e6b25
blue-team-tools/rules/proxy/proxy_executable_download_from_webdav.yml
T
neu5ron effb2a8337 add exe webdav download
2020-05-19 04:41:00 -04:00

25 lines
841 B
YAML
Raw Blame History

title: Executable from Webdav
description: "Detects executable access via webdav6. Can be seen in APT 29 such as from the emulated APT 29 hackathon https://github.com/OTRF/detection-hackathon-apt29/"
id: aac2fd97-bcba-491b-ad66-a6edf89c71bf
author: 'SOC Prime, Adam Swan'
references:
- http://carnal0wnage.attackresearch.com/2012/06/webdav-server-to-download-custom.html
- https://github.com/OTRF/detection-hackathon-apt29
tags:
- attack.command_and_control
- attack.T1043
logsource:
category: proxy
date: 2020/05/01
detection:
selection_webdav:
- c-useragent: '*WebDAV*'
- c-uri: '*webdav*'
selection_executable:
- resp_mime_types: '*dosexec*'
- c-uri: '*.exe'
condition: selection_webdav AND selection_executable
falsepositives:
- unknown
level: medium
status: experimental
Reference in New Issue View Git Blame Copy Permalink