After reading this blog post Search-ms, WebDAV, and Chill I noticed that the author added the below sigma rule to the proxy folder and mentioned in the blog that "I didn’t have the opportunity to test this concept, so I can’t guarantee it will work".
title: Search-ms and WebDAV Suspicious Indicators in URL
id: 5039f3d2-406a-4c1a-9350-7a5a85dc84c2
After recreating this techniqe and genrating the aproperaite proxy logs it was aparent that this rule will not work as there are no logs with the keywords ('search', ':query=', 'webdav').
I added a new rule with the name Suspicious External WebDAV Execution based on the genrated logs. All the notes I took wile testing/recreating this technique can be found here
Changelog
new: Suspicious External WebDAV Execution
remove: Search-ms and WebDAV Suspicious Indicators in URL
Example Log Event
All the logs along with the notes I took can be found here. Below is the log I used to create this rule:
GET http://192.168.17.187:8080/lure%20document.cmd HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
User-Agent: Microsoft-WebDAV-MiniRedir/10.0.19044
translate: f
Host: 192.168.17.187:8080
HTTP/1.1 200 OK
Content-Length: 8
Last-Modified: Fri, 01 Mar 2024 14:47:15 GMT
Content-Type: application/octet-stream
Date: Mon, 06 May 2024 07:54:39 GMT
ETag: "4336502-1709304435-8"
Accept-Ranges: bytes
Server: WsgiDAV/4.3.2 Cheroot/10.0.0 Python/3.11.4
Fixed Issues
SigmaHQ Rule Creation Conventions
If your PR adds new rules, please consider following and applying these conventions
Summary of the Pull Request
After reading this blog post Search-ms, WebDAV, and Chill I noticed that the author added the below sigma rule to the proxy folder and mentioned in the blog that "I didn’t have the opportunity to test this concept, so I can’t guarantee it will work".
After recreating this techniqe and genrating the aproperaite proxy logs it was aparent that this rule will not work as there are no logs with the keywords ('search', ':query=', 'webdav').
I added a new rule with the name Suspicious External WebDAV Execution based on the genrated logs. All the notes I took wile testing/recreating this technique can be found here
Changelog
new: Suspicious External WebDAV Execution remove: Search-ms and WebDAV Suspicious Indicators in URL
Example Log Event
All the logs along with the notes I took can be found here. Below is the log I used to create this rule:
Fixed Issues
SigmaHQ Rule Creation Conventions