Detection rules › Splunk
Windows Rundll32 WebDav With Network Connection
The following analytic detects the execution of rundll32.exe with command-line arguments loading davclnt.dll and the davsetcookie function to access a remote WebDav instance. It uses data from Endpoint Detection and Response (EDR) agents, correlating process execution and network traffic data. This activity is significant as it may indicate exploitation of CVE-2023-23397, a known vulnerability. If confirmed malicious, this could allow an attacker to establish unauthorized remote connections, potentially leading to data exfiltration or further network compromise.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Exfiltration | T1048.003 Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted Non-C2 Protocol |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| Sysmon | 1 | Process creation |
| Sysmon | 3 | Network connection |
Stages and Predicates
Stage 1: tstats
tstats WHERE (Processes.original_file_name="RUNDLL32.EXE" OR Processes.process_name="rundll32.exe") Processes.parent_process_name="svchost.exe" Processes.process IN ("*\\windows\\system32\\davclnt.dll,*davsetcookie*", "*\\windows\\syswow64\\davclnt.dll,*davsetcookie*") BY _time, host, Processes.action, Processes.dest, Processes.original_file_name, Processes.parent_process, Processes.parent_process_exec, Processes.parent_process_guid, Processes.parent_process_id, Processes.parent_process_name, Processes.parent_process_path, Processes.process, Processes.process_exec, Processes.process_guid, Processes.process_hash, Processes.process_id, Processes.process_integrity_level, Processes.process_name, Processes.process_path, Processes.user, Processes.user_id, Processes.vendor_product
Stage 2: search
search
Stage 3: search
search
Stage 4: search
search
Stage 5: rename
rename
Stage 6: join
join type=inner (...)
Stage 7: search
search `macro`
Exclusions
Top-level NOT(...) conjuncts — predicates this rule actively suppresses.
| Stage | Field | Kind | Excluded values |
|---|---|---|---|
| 1 | All_Traffic.dest_ip | in | 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16 |
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
All_Traffic.dest_port | ne |
|
Processes.original_file_name | eq |
|
Processes.parent_process_name | eq |
|
Processes.process | in |
|
Processes.process_name | eq |
|