Threat Huntlowexperimental

Process Execution From WebDAV Share

Detects execution of processes with image paths starting with WebDAV shares (\\), which might indicate malicious file execution from remote web shares. Execution of processes from WebDAV shares can be a sign of lateral movement or exploitation attempts, especially if the process is not a known legitimate application. Exploitation Attempt of vulnerabilities like CVE-2025-33053 also involves executing processes from WebDAV paths.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Swachchhanda Shrawan Poudel (Nextron Systems)Created Fri Jun 13f8de9dd5-7a63-4cfd-9d0c-ae124878b5a9windows

Hunting Hypothesis

Log Source

WindowsProcess Creation

ProductWindows← raw: windows

CategoryProcess Creation← raw: process_creation

Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.

Detection Logic

detection:
    selection:
        Image|startswith: '\\\\'
        Image|contains: '\DavWWWRoot\'
    condition: selection

False Positives

Legitimate use of WebDAV shares for process execution

Known applications executing from WebDAV paths

References

Resolving title…

research.checkpoint.com

MITRE ATT&CK

Tactics

TA0002 · Execution TA0011 · Command and Control TA0008 · Lateral Movement

Techniques

T1105 · Ingress Tool Transfer

Other

detection.threat-hunting

Rule Metadata

Rule ID

f8de9dd5-7a63-4cfd-9d0c-ae124878b5a9

Status

experimental

Level

low

Type

Threat Hunt

Created

Fri Jun 13

Author

Swachchhanda Shrawan Poudel (Nextron Systems)

Path

rules-threat-hunting/windows/process_creation/proc_creation_win_webdav_process_execution.yml

Raw Tags

attack.executionattack.command-and-controlattack.lateral-movementattack.t1105detection.threat-hunting

View on GitHub