Skip to content
Threat Feed
medium advisory

Rare Connection to WebDAV Target via Rundll32

This rule identifies rare connection attempts to a Web Distributed Authoring and Versioning (WebDAV) resource, where attackers may inject WebDAV paths in files opened by a victim to leak NTLM credentials via forced authentication using rundll32.exe.

Attackers can exploit WebDAV by injecting WebDAV paths into files or features opened by a victim user, leading to NTLM credential leakage through forced authentication. This technique relies on the victim’s system attempting to authenticate against a malicious WebDAV server when accessing a file or link containing a WebDAV path. This threat is particularly relevant for defenders because it can lead to unauthorized access to sensitive information and potential lateral movement within the network. The attack leverages rundll32.exe to initiate the WebDAV connection, making it difficult to distinguish from legitimate system processes. The Elastic detection rule identifies rare WebDAV connection attempts to uncover potential credential access attempts.

Attack Chain

  1. An attacker crafts a malicious document or link containing a WebDAV path.
  2. The victim user opens the malicious document or clicks the link.
  3. The operating system attempts to resolve the WebDAV path using rundll32.exe and the DavSetCookie function.
  4. The system initiates an authentication attempt with the malicious WebDAV server.
  5. The attacker captures the NTLM credentials during the authentication handshake.
  6. The attacker relays the captured NTLM credentials to access internal resources.

Impact

Successful exploitation leads to credential compromise and potential lateral movement within the victim’s network. An attacker could gain unauthorized access to sensitive data and systems, potentially leading to data exfiltration, system compromise, or further attacks. This can impact organizations of any size and industry that rely on NTLM authentication. The severity depends on the user’s permissions and the resources they can access with their compromised credentials.

Recommendation

  • Deploy the provided Sigma rule to your SIEM and tune for your environment to detect suspicious WebDAV connections initiated via rundll32.exe.
  • Investigate any alerts generated by the Sigma rule, focusing on rare or unusual WebDAV destinations.
  • Monitor process creation events for rundll32.exe with command-line arguments containing “DavSetCookie”, focusing on connections to external domains.
  • Conduct regular security awareness training to educate users about the risks of opening unsolicited documents or clicking suspicious links.

Detection coverage 2

Suspicious Rundll32 WebDAV Connection

medium

Detects rundll32.exe making a connection to a WebDAV server via DavSetCookie.

sigma tactics: credential_access, defense_evasion techniques: T1187, T1218.011 sources: process_creation, windows

Rare WebDAV Destination via Rundll32

medium

Detects rundll32.exe connecting to a rare WebDAV server

sigma tactics: credential_access, defense_evasion techniques: T1187, T1218.011 sources: process_creation, windows

Detection queries are kept inside the platform. Get full rules →