detection.wiki

Detection rules › Sigma

Suspicious WebDav Client Execution Via Rundll32.EXE

Severity
high
Author
Nasreddine Bencherchali (Nextron Systems), Florian Roth (Nextron Systems)
Source
upstream

Detects "svchost.exe" spawning "rundll32.exe" with command arguments like C:\windows\system32\davclnt.dll,DavSetCookie. This could be an indicator of exfiltration or use of WebDav to launch code (hosted on WebDav Server) or potentially a sign of exploitation of CVE-2023-23397

MITRE ATT&CK coverage

TacticTechniques
ExfiltrationT1048.003 Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted Non-C2 Protocol

Event coverage

ProviderEvent IDTitle
Sysmon1Process creation

Stages and Predicates

Stage 1: selection

CommandLine|contains: 'C:\windows\system32\davclnt.dll,DavSetCookie'
CommandLine|re: '://\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}'
Image|endswith: '\rundll32.exe'
ParentCommandLine|contains: '-s WebClient'
ParentImage|endswith: '\svchost.exe'

Stage 2: not 1 of filter_local_ips

or:
CommandLine|contains: '://10.'
CommandLine|contains: '://127.'
CommandLine|contains: '://169.254.'
CommandLine|contains: '://172.16.'
CommandLine|contains: '://172.17.'
CommandLine|contains: '://172.18.'
CommandLine|contains: '://172.19.'
CommandLine|contains: '://172.20.'
CommandLine|contains: '://172.21.'
CommandLine|contains: '://172.22.'
CommandLine|contains: '://172.23.'
CommandLine|contains: '://172.24.'
CommandLine|contains: '://172.25.'
CommandLine|contains: '://172.26.'
CommandLine|contains: '://172.27.'
CommandLine|contains: '://172.28.'
CommandLine|contains: '://172.29.'
CommandLine|contains: '://172.30.'
CommandLine|contains: '://172.31.'
CommandLine|contains: '://192.168.'

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

FieldKindValues
CommandLinematch
  • ://10.
  • ://127.
  • ://169.254.
  • ://172.16.
  • ://172.17.
  • ://172.18.
  • ://172.19.
  • ://172.20.
  • ://172.21.
  • ://172.22.
  • ://172.23.
  • ://172.24.
  • ://172.25.
  • ://172.26.
  • ://172.27.
  • ://172.28.
  • ://172.29.
  • ://172.30.
  • ://172.31.
  • ://192.168.
  • C:\windows\system32\davclnt.dll,DavSetCookie corpus 3 (sigma 3)
CommandLineregex_match
  • ://\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3} corpus 2 (sigma 2)
Imageends_with
  • \rundll32.exe corpus 76 (sigma 76)
ParentCommandLinematch
  • -s WebClient
ParentImageends_with
  • \svchost.exe corpus 8 (sigma 8)

Neighbors

Broader alternatives (more inclusive than this rule)

These rules match a superset of what this rule catches. They cover the same events plus more. Use them if you want wider coverage and can absorb more false positives.