Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionlowtest

WebDav Put Request

A General detection for WebDav user-agent being used to PUT files on a WebDav network share. This could be an indicator of exfiltration.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)Created Sat May 02Updated Wed Mar 13705072a5-bb6f-4ced-95b6-ecfa6602090bnetwork
Log Source
Zeek (Bro)http
ProductZeek (Bro)← raw: zeek
Servicehttp← raw: http
Detection Logic
Detection Logic2 selectors
detection:
    selection:
        user_agent|contains: 'WebDAV'
        method: 'PUT'
    filter:
        id.resp_h|cidr:
            - '10.0.0.0/8'
            - '127.0.0.0/8'
            - '172.16.0.0/12'
            - '192.168.0.0/16'
            - '169.254.0.0/16'
    condition: selection and not filter
False Positives
Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References
1
Resolving title…
github.com
MITRE ATT&CK
Rule Metadata
Rule ID
705072a5-bb6f-4ced-95b6-ecfa6602090b
Status
test
Level
low
Type
Detection
Created
Sat May 02
Modified
Wed Mar 13
Author
Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
Path
rules/network/zeek/zeek_http_webdav_put_request.yml
Raw Tags
attack.exfiltrationattack.t1048.003
View on GitHub