sigmalowHunting

WebDav Put Request

A General detection for WebDav user-agent being used to PUT files on a WebDav network share. This could be an indicator of exfiltration.

MITRE ATT&CK

T1048.003

exfiltration

Detection Query

selection:
  user_agent|contains: WebDAV
  method: PUT
filter:
  id.resp_h|cidr:
    - 10.0.0.0/8
    - 127.0.0.0/8
    - 172.16.0.0/12
    - 192.168.0.0/16
    - 169.254.0.0/16
condition: selection and not filter

Author

Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)

Created

2020-05-02

Data Sources

zeekhttp

Platforms

zeek

References

https://github.com/OTRF/detection-hackathon-apt29/issues/17

Tags

attack.exfiltrationattack.t1048.003

Raw Content

title: WebDav Put Request
id: 705072a5-bb6f-4ced-95b6-ecfa6602090b
status: test
description: A General detection for WebDav user-agent being used to PUT files on a WebDav network share. This could be an indicator of exfiltration.
references:
    - https://github.com/OTRF/detection-hackathon-apt29/issues/17
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
date: 2020-05-02
modified: 2024-03-13
tags:
    - attack.exfiltration
    - attack.t1048.003
logsource:
    product: zeek
    service: http
detection:
    selection:
        user_agent|contains: 'WebDAV'
        method: 'PUT'
    filter:
        id.resp_h|cidr:
            - '10.0.0.0/8'
            - '127.0.0.0/8'
            - '172.16.0.0/12'
            - '192.168.0.0/16'
            - '169.254.0.0/16'
    condition: selection and not filter
falsepositives:
    - Unknown
level: low