Credential Access (TA0006)(external, opens in a new tab or window)
endpoint(external, opens in a new tab or window)
system(external, opens in a new tab or window)
windows(external, opens in a new tab or window)
text code block:from logs-endpoint.events.process-*, logs-windows.sysmon_operational-*, logs-system.security-*, logs-windows.*, winlogbeat-*, logs-crowdstrike.fdr*, logs-m365_defender.event-* METADATA _id, _version, _index | where @timestamp > now() - 8 hours and event.category == "process" and event.type == "start" and process.name == "rundll32.exe" and process.command_line like "*DavSetCookie*" | keep host.id, process.command_line, user.name | grok process.command_line """(?<Esql.server_webdav_cookie>DavSetCookie .* http)""" | eval Esql.server_webdav_cookie_replace = replace(Esql.server_webdav_cookie, "(DavSetCookie | http)", "") | where Esql.server_webdav_cookie_replace is not null and Esql.server_webdav_cookie_replace rlike """(([a-zA-Z0-9-]+\.)+[a-zA-Z]{2,3}(@SSL.*)*|(\d{1,3}\.){3}\d{1,3})""" and not Esql.server_webdav_cookie_replace in ("www.google.com@SSL", "www.elastic.co@SSL") and not Esql.server_webdav_cookie_replace rlike """(10\.(\d{1,3}\.){2}\d{1,3}|172\.(1[6-9]|2\d|3[0-1])\.(\d{1,3}\.)\d{1,3}|192\.168\.(\d{1,3}\.)\d{1,3})""" | stats Esql.event_count = count(*), Esql.host_id_count_distinct = count_distinct(host.id), Esql.host_id_values = values(host.id), Esql.user_name_values = values(user.name) by Esql.server_webdav_cookie_replace | where Esql.host_id_count_distinct == 1 and Esql.event_count <= 3
Install detection rules in Elastic Security
Detect Rare Connection to WebDAV Target in the Elastic Security detection engine by installing this rule into your Elastic Stack.
To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(external, opens in a new tab or window).