Query Details

APT28 WebDav Folder File Collection

Behaviour Apt28external Webdav

Query

let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}';
DeviceProcessEvents
| where tolower(ProcessCommandLine) has_all ("start", "edge", "webdav")
| extend RemoteIP = extract(IPRegex, 0, ProcessCommandLine)
| where isnotempty(RemoteIP)
| where not(ipv4_is_private(RemoteIP))
| project-reorder DeviceName, RemoteIP, ProcessCommandLine, AccountUpn

About this query

Explanation

This query is designed to detect potentially malicious activity on a network by identifying external connections initiated by PowerShell scripts. Specifically, it looks for instances where PowerShell commands are used to start a web browser (like Microsoft Edge) to access files from a WebDAV folder, which could be a method used by attackers to download malicious files.

Here's a simple breakdown of what the query does:

  1. Pattern Matching: It searches for PowerShell command lines that include the words "start", "edge", and "webdav". This suggests that a script is trying to open a web page or file hosted on a WebDAV server.

  2. Extracting IP Addresses: The query uses a regular expression to extract any IP addresses found in these command lines.

  3. Filtering: It filters out any private IP addresses, focusing only on public IPs, which are more likely to be associated with external threats.

  4. Output: The query then organizes the results to show the device name, the remote IP address accessed, the full command line used, and the account associated with the activity.

This query helps identify suspicious activities that could indicate a security breach, specifically related to the APT28 group, which is known for using such techniques to execute malicious payloads on compromised devices.

Details

Bert-Jan Pals profile picture

Bert-Jan Pals

Released: October 20, 2024

Tables

DeviceProcessEvents

Keywords

DevicesProcessCommandLineAccountRemoteIP

Operators

lettolowerhas_allextendextractwhereisnotemptynotipv4_is_privateproject-reorder

Actions

GitHub