Proxy WebDAV Rule Improvements/New Rule

[ahmedfarou22]

Summary of the Pull Request

After reading this blog post Search-ms, WebDAV, and Chill I noticed that the author added the below sigma rule to the proxy folder and mentioned in the blog that "I didn’t have the opportunity to test this concept, so I can’t guarantee it will work".

• title: Search-ms and WebDAV Suspicious Indicators in URL
• id: 5039f3d2-406a-4c1a-9350-7a5a85dc84c2

After recreating this techniqe and genrating the aproperaite proxy logs it was aparent that this rule will not work as there are no logs with the keywords ('search', ':query=', 'webdav').

I added a new rule with the name Suspicious External WebDAV Execution based on the genrated logs. All the notes I took wile testing/recreating this technique can be found here

Changelog

new: Suspicious External WebDAV Execution remove: Search-ms and WebDAV Suspicious Indicators in URL

Example Log Event

All the logs along with the notes I took can be found here. Below is the log I used to create this rule:

GET http://192.168.17.187:8080/lure%20document.cmd HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
User-Agent: Microsoft-WebDAV-MiniRedir/10.0.19044
translate: f
Host: 192.168.17.187:8080

HTTP/1.1 200 OK
Content-Length: 8
Last-Modified: Fri, 01 Mar 2024 14:47:15 GMT
Content-Type: application/octet-stream
Date: Mon, 06 May 2024 07:54:39 GMT
ETag: "4336502-1709304435-8"
Accept-Ranges: bytes
Server: WsgiDAV/4.3.2 Cheroot/10.0.0 Python/3.11.4

Fixed Issues

SigmaHQ Rule Creation Conventions

• If your PR adds new rules, please consider following and applying these conventions