title: Suspicious External WebDAV Execution
id: 1ae64f96-72b6-48b3-ad3d-e71dff6c6398
related:
- id: 4c55738d-72d8-490e-a2db-7969654e375f
type: similar
status: test
description: |
Detects executables launched from external WebDAV shares using the WebDAV Explorer integration, commonly seen in initial access campaigns.
references:
- https://dear-territory-023.notion.site/WebDav-Share-Testing-e4950fa0c00149c3aa430d779b9b1d0f?pvs=4
- https://micahbabinski.medium.com/search-ms-webdav-and-chill-99c5b23ac462
- https://www.trendmicro.com/en_no/research/24/b/cve202421412-water-hydra-targets-traders-with-windows-defender-s.html
- https://www.trellix.com/en-us/about/newsroom/stories/research/beyond-file-search-a-novel-method.html
author: Ahmed Farouk
date: 2024-05-10
tags:
- attack.initial-access
- attack.resource-development
- attack.t1584
- attack.t1566
logsource:
category: proxy
detection:
selection_webdav:
c-useragent|startswith: 'Microsoft-WebDAV-MiniRedir/'
cs-method: 'GET'
selection_execution:
c-uri|endswith:
- '.7z'
- '.bat'
- '.dat'
- '.cmd'
- '.exe'
- '.js'
- '.lnk'
- '.ps1'
- '.rar'
- '.url'
- '.vbe'
- '.vbs'
- '.zip'
filter_main_local_ips:
dst_ip|cidr:
- '127.0.0.0/8'
- '10.0.0.0/8'
- '172.16.0.0/12'
- '192.168.0.0/16'
- '169.254.0.0/16'
- '::1/128' # IPv6 loopback
- 'fe80::/10' # IPv6 link-local addresses
- 'fc00::/7' # IPv6 private addresses
condition: all of selection_* and not 1 of filter_main_*
falsepositives:
- Unknown
level: high
title: Program Executions in Suspicious Folders
id: a39d7fa7-3fbd-4dc2-97e1-d87f546b1bbc
status: test
description: Detects program executions in suspicious non-program folders related to malware or hacking activity
references:
- Internal Research
author: Florian Roth (Nextron Systems)
date: 2018-01-23
modified: 2021-11-27
tags:
- attack.t1587
- attack.t1584
- attack.resource-development
logsource:
product: linux
service: auditd
detection:
selection:
type: 'SYSCALL'
exe|startswith:
# Temporary folder
- '/tmp/'
# Web server
- '/var/www/' # Standard
- '/home/*/public_html/' # Per-user
- '/usr/local/apache2/' # Classical Apache
- '/usr/local/httpd/' # Old SuSE Linux 6.* Apache
- '/var/apache/' # Solaris Apache
- '/srv/www/' # SuSE Linux 9.*
- '/home/httpd/html/' # Redhat 6 or older Apache
- '/srv/http/' # ArchLinux standard
- '/usr/share/nginx/html/' # ArchLinux nginx
# Data dirs of typically exploited services (incomplete list)
- '/var/lib/pgsql/data/'
- '/usr/local/mysql/data/'
- '/var/lib/mysql/'
- '/var/vsftpd/'
- '/etc/bind/'
- '/var/named/'
condition: selection
falsepositives:
- Admin activity (especially in /tmp folders)
- Crazy web applications
level: medium
title: Windows Update Error
id: 13cfeb75-9e33-4d04-b0f7-ab8faaa95a59
status: stable
description: |
Detects Windows update errors including installation failures and connection issues. Defenders should observe this in case critical update KBs aren't installed.
references:
- https://github.com/nasbench/EVTX-ETW-Resources/blob/f1b010ce0ee1b71e3024180de1a3e67f99701fe4/ETWProvidersManifests/Windows10/1903/W10_1903_Pro_20200714_18362.959/WEPExplorer/Microsoft-Windows-WindowsUpdateClient.xml
author: frack113
date: 2021-12-04
modified: 2023-09-07
tags:
- attack.impact
- attack.resource-development
- attack.t1584
logsource:
product: windows
service: system
detection:
selection:
Provider_Name: Microsoft-Windows-WindowsUpdateClient
EventID:
- 16 # Unable to Connect: Windows is unable to connect to the automatic updates service and therefore cannot download and install updates according to the set schedule
- 20 # Installation Failure: Windows failed to install the following update with error
- 24 # Uninstallation Failure: Windows failed to uninstall the following update with error
- 213 # Revert Failure: Windows failed to revert the following update with error
- 217 # Commit Failure: Windows failed to commit the following update with error
condition: selection
falsepositives:
- Unknown
level: informational