security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions 3 Packages Projects Releases Wiki Activity

[Tuning] Rare Connection to WebDAV Target (#5604)

Browse Source 
* Update credential_access_rare_webdav_destination.toml

* Update credential_access_rare_webdav_destination.toml

* Update credential_access_rare_webdav_destination.toml

* Update credential_access_rare_webdav_destination.toml

* Update credential_access_rare_webdav_destination.toml

* Update credential_access_rare_webdav_destination.toml
This commit is contained in:
Samirbous
2026-01-26 12:51:09 +00:00
committed by GitHub
parent c608b673bf
commit 30c7833f08
1 changed files with 9 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/windows/credential_access_rare_webdav_destination.toml
+9 -6
View File
@@ -2,7 +2,7 @@
creation_date = "2025/04/28"
integration = ["endpoint", "system", "windows", "m365_defender", "crowdstrike"]
maturity = "production"
updated_date = "2026/01/13"
updated_date = "2026/01/23"
[rule]
author = ["Elastic"]
@@ -62,21 +62,24 @@ from logs-endpoint.events.process-*, logs-windows.sysmon_operational-*, logs-sys
process.name == "rundll32.exe" and
process.command_line like "*DavSetCookie*"
| keep host.id, process.command_line, user.name, user.id
| grok process.command_line """(?<Esql.server_webdav_server>([a-zA-Z0-9-]{4,}\.[a-zA-Z]{2,3}@SSL)|((\d{1,3}\.){3}\d{1,3}))"""
// extract domain or IP address from process cmdline
| grok process.command_line """(?<Esql.server_webdav_server>((http|https)://[a-zA-Z0-9-\.]{1,}\.[a-zA-Z]{2,3}[@\/]+)|(\b(?:(?:25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)\.){3}(?:25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)\b)[@\/]+)"""
// remove sub domains from URL
| eval Esql.server_webdav_server = REPLACE(Esql.server_webdav_server, """((http|https)://[a-zA-Z0-9-]{1,}\.)""", "")
| eval Esql.server_webdav_server = REPLACE(Esql.server_webdav_server, "/", "")
| where
Esql.server_webdav_server is not null and
not Esql.server_webdav_server in ("www.google.com@SSL", "www.elastic.co@SSL", "sharepoint.com@SSL", "live.net@SSL", "google.com@SSL", "SHAREPOINT.COM@SSL", "github.com@SSL") and
not Esql.server_webdav_server in ("www.google.com", "www.elastic.co", "sharepoint.com", "live.net", "google.com", "SHAREPOINT.COM", "github.com") and
// excludes private IP ranges
not Esql.server_webdav_server rlike """(10\.(\d{1,3}\.){2}\d{1,3}|172\.(1[6-9]|2\d|3[0-1])\.(\d{1,3}\.)\d{1,3}|192\.168\.(\d{1,3}\.)\d{1,3})"""
| stats
Esql.event_count = count(*),
Esql.host_id_count_distinct = count_distinct(host.id),
Esql.user_id_count_distinct = count_distinct(user.id),
Esql.host_id_values = values(host.id),
Esql.user_name_values = values(user.name)
by Esql.server_webdav_server
| where
Esql.host_id_count_distinct == 1 and
Esql.event_count <= 3 and Esql.user_id_count_distinct == 1
Esql.host_id_count_distinct == 1 and Esql.event_count <= 3
| eval host.id = MV_MIN(Esql.host_id_values), user.name = MV_MIN(Esql.user_name_values), destination.domain = MV_MIN(Esql.server_webdav_server)
| KEEP host.id, user.name, destination.domain, Esql.*
'''