Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionmediumtest

Executable from Webdav

Detects executable access via webdav6. Can be seen in APT 29 such as from the emulated APT 29 hackathon https://github.com/OTRF/detection-hackathon-apt29/

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
SOC Prime, Adam SwanCreated Fri May 01Updated Sat Nov 27aac2fd97-bcba-491b-ad66-a6edf89c71bfnetwork
Log Source
Zeek (Bro)http
ProductZeek (Bro)← raw: zeek
Servicehttp← raw: http
Detection Logic
Detection Logic2 selectors
detection:
    selection_webdav:
        - c-useragent|contains: 'WebDAV'
        - c-uri|contains: 'webdav'
    selection_executable:
        - resp_mime_types|contains: 'dosexec'
        - c-uri|endswith: '.exe'
    condition: selection_webdav and selection_executable
False Positives
Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References
1
Resolving title…
carnal0wnage.attackresearch.com
2
Resolving title…
github.com
MITRE ATT&CK
Rule Metadata
Rule ID
aac2fd97-bcba-491b-ad66-a6edf89c71bf
Status
test
Level
medium
Type
Detection
Created
Fri May 01
Modified
Sat Nov 27
Author
SOC Prime, Adam Swan
Path
rules/network/zeek/zeek_http_executable_download_from_webdav.yml
Raw Tags
attack.command-and-controlattack.t1105
View on GitHub