Detectionhightest
Suspicious External WebDAV Execution
Detects executables launched from external WebDAV shares using the WebDAV Explorer integration, commonly seen in initial access campaigns.
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Log Source
Proxy Log
CategoryProxy Log← raw: proxy
Detection Logic
Detection Logic3 selectors
detection:
selection_webdav:
c-useragent|startswith: 'Microsoft-WebDAV-MiniRedir/'
cs-method: 'GET'
selection_execution:
c-uri|endswith:
- '.7z'
- '.bat'
- '.dat'
- '.cmd'
- '.exe'
- '.js'
- '.lnk'
- '.ps1'
- '.rar'
- '.url'
- '.vbe'
- '.vbs'
- '.zip'
filter_main_local_ips:
dst_ip|cidr:
- '127.0.0.0/8'
- '10.0.0.0/8'
- '172.16.0.0/12'
- '192.168.0.0/16'
- '169.254.0.0/16'
- '::1/128' # IPv6 loopback
- 'fe80::/10' # IPv6 link-local addresses
- 'fc00::/7' # IPv6 private addresses
condition: all of selection_* and not 1 of filter_main_*False Positives
Unknown
False positive likelihood has not been assessed. Additional context may be needed during triage.
MITRE ATT&CK
Rule Metadata
Rule ID
1ae64f96-72b6-48b3-ad3d-e71dff6c6398
Status
test
Level
high
Type
Detection
Created
Fri May 10
Author
Path
rules/web/proxy_generic/proxy_webdav_external_execution.yml
Raw Tags
attack.initial-accessattack.resource-developmentattack.t1584attack.t1566