← Back to Explore
sigmamediumHunting
Executable from Webdav
Detects executable access via webdav6. Can be seen in APT 29 such as from the emulated APT 29 hackathon https://github.com/OTRF/detection-hackathon-apt29/
Detection Query
selection_webdav:
- c-useragent|contains: WebDAV
- c-uri|contains: webdav
selection_executable:
- resp_mime_types|contains: dosexec
- c-uri|endswith: .exe
condition: selection_webdav and selection_executable
Author
SOC Prime, Adam Swan
Created
2020-05-01
Data Sources
zeekhttp
Platforms
zeek
References
Tags
attack.command-and-controlattack.t1105
Raw Content
title: Executable from Webdav
id: aac2fd97-bcba-491b-ad66-a6edf89c71bf
status: test
description: 'Detects executable access via webdav6. Can be seen in APT 29 such as from the emulated APT 29 hackathon https://github.com/OTRF/detection-hackathon-apt29/'
references:
- http://carnal0wnage.attackresearch.com/2012/06/webdav-server-to-download-custom.html
- https://github.com/OTRF/detection-hackathon-apt29
author: 'SOC Prime, Adam Swan'
date: 2020-05-01
modified: 2021-11-27
tags:
- attack.command-and-control
- attack.t1105
logsource:
product: zeek
service: http
detection:
selection_webdav:
- c-useragent|contains: 'WebDAV'
- c-uri|contains: 'webdav'
selection_executable:
- resp_mime_types|contains: 'dosexec'
- c-uri|endswith: '.exe'
condition: selection_webdav and selection_executable
falsepositives:
- Unknown
level: medium