Elastic Security Detection Rules

Rare Connection to WebDAV Target

Last updated a month ago on 2025-07-16
Created 4 months ago on 2025-04-28

About

Identifies rare connection attempts to a Web Distributed Authoring and Versioning (WebDAV) resource. Attackers may inject WebDAV paths in files or features opened by a victim user to leak their NTLM credentials via forced authentication.
Tags
Domain: EndpointOS: WindowsUse Case: Threat DetectionTactic: Credential AccessData Source: Elastic DefendData Source: Windows Security Event LogsData Source: Microsoft Defender for EndpointData Source: CrowdstrikeLanguage: esql
Severity
medium
Risk Score
47
MITRE ATT&CK™

Credential Access (TA0006)(opens in a new tab or window)

Forced Authentication (T1187)(opens in a new tab or window)

License
Elastic License v2(opens in a new tab or window)

Definition

Integration Pack
Prebuilt Security Detection Rules
Related Integrations

endpoint(opens in a new tab or window)

system(opens in a new tab or window)

windows(opens in a new tab or window)

m365_defender(opens in a new tab or window)

crowdstrike(opens in a new tab or window)

Query
from logs-*
| where
    @timestamp > now() - 8 hours and
    event.category == "process" and
    event.type == "start" and
    process.name == "rundll32.exe" and
    process.command_line like "*DavSetCookie*"
| keep host.id, process.command_line, user.name
| grok
    process.command_line """(?<Esql.server_webdav_cookie>DavSetCookie .* http)"""
| eval
    Esql.server_webdav_cookie_replace = replace(Esql.server_webdav_cookie, "(DavSetCookie | http)", "")
| where
    Esql.server_webdav_cookie_replace is not null and
    Esql.server_webdav_cookie_replace rlike """(([a-zA-Z0-9-]+\.)+[a-zA-Z]{2,3}(@SSL.*)*|(\d{1,3}\.){3}\d{1,3})""" and
    not Esql.server_webdav_cookie_replace in ("www.google.com@SSL", "www.elastic.co@SSL") and
    not Esql.server_webdav_cookie_replace rlike """(10\.(\d{1,3}\.){2}\d{1,3}|172\.(1[6-9]|2\d|3[0-1])\.(\d{1,3}\.)\d{1,3}|192\.168\.(\d{1,3}\.)\d{1,3})"""
| stats
    Esql.event_count = count(*),
    Esql.host_id_count_distinct = count_distinct(host.id),
    Esql.host_id_values = values(host.id),
    Esql.user_name_values = values(user.name)
  by Esql.server_webdav_cookie_replace
| where
    Esql.host_id_count_distinct == 1 and
    Esql.event_count <= 3

Install detection rules in Elastic Security

Detect Rare Connection to WebDAV Target in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(opens in a new tab or window).