security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[Tuning] Rare Connection to WebDAV Target (#5556)

Browse Source 
* Update credential_access_rare_webdav_destination.toml

* Update credential_access_rare_webdav_destination.toml

* Update credential_access_rare_webdav_destination.toml

* Update credential_access_rare_webdav_destination.toml
This commit is contained in:
Samirbous
2026-01-23 11:17:19 +00:00
committed by GitHub
parent 4408ea014b
commit ccfb69244a
1 changed files with 11 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/windows/credential_access_rare_webdav_destination.toml
+11 -11
View File
@@ -2,7 +2,7 @@
creation_date = "2025/04/28"
integration = ["endpoint", "system", "windows", "m365_defender", "crowdstrike"]
maturity = "production"
updated_date = "2025/12/05"
updated_date = "2026/01/13"
[rule]
author = ["Elastic"]
@@ -61,24 +61,24 @@ from logs-endpoint.events.process-*, logs-windows.sysmon_operational-*, logs-sys
event.type == "start" and
process.name == "rundll32.exe" and
process.command_line like "*DavSetCookie*"
| keep host.id, process.command_line, user.name
| grok process.command_line """(?<Esql.server_webdav_cookie>DavSetCookie .* http)"""
| eval
Esql.server_webdav_cookie_replace = replace(Esql.server_webdav_cookie, "(DavSetCookie | http)", "")
| keep host.id, process.command_line, user.name, user.id
| grok process.command_line """(?<Esql.server_webdav_server>([a-zA-Z0-9-]{4,}\.[a-zA-Z]{2,3}@SSL)|((\d{1,3}\.){3}\d{1,3}))"""
| where
Esql.server_webdav_cookie_replace is not null and
Esql.server_webdav_cookie_replace rlike """(([a-zA-Z0-9-]+\.)+[a-zA-Z]{2,3}(@SSL.*)*|(\d{1,3}\.){3}\d{1,3})""" and
not Esql.server_webdav_cookie_replace in ("www.google.com@SSL", "www.elastic.co@SSL") and
not Esql.server_webdav_cookie_replace rlike """(10\.(\d{1,3}\.){2}\d{1,3}|172\.(1[6-9]|2\d|3[0-1])\.(\d{1,3}\.)\d{1,3}|192\.168\.(\d{1,3}\.)\d{1,3})"""
Esql.server_webdav_server is not null and
not Esql.server_webdav_server in ("www.google.com@SSL", "www.elastic.co@SSL", "sharepoint.com@SSL", "live.net@SSL", "google.com@SSL", "SHAREPOINT.COM@SSL", "github.com@SSL") and
not Esql.server_webdav_server rlike """(10\.(\d{1,3}\.){2}\d{1,3}|172\.(1[6-9]|2\d|3[0-1])\.(\d{1,3}\.)\d{1,3}|192\.168\.(\d{1,3}\.)\d{1,3})"""
| stats
Esql.event_count = count(*),
Esql.host_id_count_distinct = count_distinct(host.id),
Esql.user_id_count_distinct = count_distinct(user.id),
Esql.host_id_values = values(host.id),
Esql.user_name_values = values(user.name)
by Esql.server_webdav_cookie_replace
by Esql.server_webdav_server
| where
Esql.host_id_count_distinct == 1 and
Esql.event_count <= 3
Esql.event_count <= 3 and Esql.user_id_count_distinct == 1
| eval host.id = MV_MIN(Esql.host_id_values), user.name = MV_MIN(Esql.user_name_values), destination.domain = MV_MIN(Esql.server_webdav_server)
| KEEP host.id, user.name, destination.domain, Esql.*
'''