Query Details
Webdav Execution
Query
Suspicious File Execution From a WebDav Share. this was tested in my environment you can exclude based on yours
Tags:
- attack.execution
Query:
DeviceProcessEvents
| where ProcessCommandLine contains "DavWWWRoot" | where InitiatingProcessFileName != @"AcroRd32.exe"
| where ProcessVersionInfoInternalFileName != @"VISIO.EXE"
References
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_cmd_net_use_and_exec_combo.yml
https://micahbabinski.medium.com/search-ms-webdav-and-chill-99c5b23ac462
Explanation
This query is looking for suspicious file execution from a WebDav share. It filters the DeviceProcessEvents data to only include events where the ProcessCommandLine contains "DavWWWRoot". It also excludes events where the InitiatingProcessFileName is "AcroRd32.exe" and the ProcessVersionInfoInternalFileName is "VISIO.EXE". The query is based on the references provided.
Details
Ali Hussein
Released: September 12, 2023
Tables
DeviceProcessEvents
Keywords
Devices,Intune,User
Operators
|wherecontains!=