endpoint(opens in a new tab or window)
system(opens in a new tab or window)
windows(opens in a new tab or window)
FROM logs-*
| where @timestamp > NOW() - 8 hours
| WHERE event.category == "process" and event.type == "start" and process.name == "rundll32.exe" and process.command_line like "*DavSetCookie*"
| keep host.id, process.command_line, user.name
| grok process.command_line """(?<target>DavSetCookie .* http)"""
| eval webdav_target = REPLACE(target, "(DavSetCookie | http)", "")
| where webdav_target is not null and webdav_target rlike """(([a-zA-Z0-9-]+\.)+[a-zA-Z]{2,3}(@SSL.*)*|(\d{1,3}\.){3}\d{1,3})""" and not webdav_target in ("www.google.com@SSL", "www.elastic.co@SSL") and not webdav_target rlike """(10\.(\d{1,3}\.){2}\d{1,3}|172\.(1[6-9]|2\d|3[0-1])\.(\d{1,3}\.)\d{1,3}|192\.168\.(\d{1,3}\.)\d{1,3})"""
| stats total = count(*), unique_count_host = count_distinct(host.id), hosts = VALUES(host.id), users = VALUES(user.name) by webdav_target
| where unique_count_host == 1 and total <= 3
Install detection rules in Elastic Security
Detect Rare Connection to WebDAV Target in the Elastic Security detection engine by installing this rule into your Elastic Stack.
To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(opens in a new tab or window).