← Back to Explore
sigmamediumHunting
WebDAV Temporary Local File Creation
Detects the creation of WebDAV temporary files with potentially suspicious extensions
Detection Query
selection:
TargetFilename|contains: \AppData\Local\Temp\TfsStore\Tfs_DAV\
TargetFilename|endswith:
- .7z
- .bat
- .dat
- .ico
- .js
- .lnk
- .ps1
- .rar
- .vbe
- .vbs
- .zip
condition: selection
Author
Micah Babinski
Created
2023-08-21
Data Sources
windowsFile Events
Platforms
windows
References
Tags
attack.initial-accessattack.resource-developmentattack.t1584attack.t1566detection.threat-hunting
Raw Content
title: WebDAV Temporary Local File Creation
id: 4c55738d-72d8-490e-a2db-7969654e375f
related:
- id: 1ae64f96-72b6-48b3-ad3d-e71dff6c6398
type: similar
status: test
description: Detects the creation of WebDAV temporary files with potentially suspicious extensions
references:
- https://www.trellix.com/en-us/about/newsroom/stories/research/beyond-file-search-a-novel-method.html
- https://micahbabinski.medium.com/search-ms-webdav-and-chill-99c5b23ac462
- https://dear-territory-023.notion.site/WebDav-Share-Testing-e4950fa0c00149c3aa430d779b9b1d0f?pvs=4
author: Micah Babinski
date: 2023-08-21
tags:
- attack.initial-access
- attack.resource-development
- attack.t1584
- attack.t1566
- detection.threat-hunting
logsource:
product: windows
category: file_event
detection:
selection:
TargetFilename|contains: '\AppData\Local\Temp\TfsStore\Tfs_DAV\'
TargetFilename|endswith:
- '.7z'
- '.bat'
- '.dat'
- '.ico'
- '.js'
- '.lnk'
- '.ps1'
- '.rar'
- '.vbe'
- '.vbs'
- '.zip'
condition: selection
falsepositives:
- Legitimate use of WebDAV in an environment
level: medium