Suspicious Execution of Windows Scripts from WebDAV Share
Adversaries may execute Windows scripts directly from a remote WebDAV share to evade detection and avoid writing malicious files to disk; this activity is detected by monitoring process command lines for suspicious WebDAV paths.
Attackers are increasingly leveraging WebDAV (Web Distributed Authoring and Versioning) shares to host and execute malicious scripts directly in memory, bypassing traditional file-based detection mechanisms. This technique allows them to avoid dropping suspicious files onto the victim's file system, thus reducing the likelihood of detection by endpoint security solutions. Observed activity involves executing scripting engines like PowerShell, cmd.exe, or wscript.exe with command-line arguments pointing to scripts hosted on remote WebDAV shares. Defenders should monitor process command lines for known WebDAV path patterns and unusual process execution from these locations to identify and mitigate potential threats. The scope of targeting is broad, affecting any Windows environment where users might access external WebDAV resources.
Attack Chain
- The attacker compromises a user's credentials or leverages an existing vulnerability to gain initial access.
- The attacker sets up a WebDAV server to host malicious scripts (e.g., PowerShell scripts, batch files).
- The attacker sends a phishing email or uses another social engineering tactic to trick the user into executing a command.
- The user executes a command using cmd.exe, powershell.exe, wscript.exe, or mshta.exe.
- The command line contains a path to a script hosted on a remote WebDAV share (e.g.,
\\webdav.example.com\script.ps1). - The scripting engine downloads and executes the script directly from the WebDAV share without writing it to disk.
- The script performs malicious actions, such as downloading additional payloads, establishing persistence, or exfiltrating data.
- The attacker achieves their objective, such as data theft, system compromise, or lateral movement within the network.
Impact
Successful exploitation can lead to complete system compromise, data theft, and further propagation within the network. Organizations may experience data breaches, financial losses, and reputational damage. If successful, attackers gain a foothold in the network without writing malicious files to disk which makes it harder for traditional AV to detect the activity.
Recommendation
- Deploy the Sigma rule "Detect Suspicious Execution from a WebDav Share" to your SIEM and tune for your environment to detect script execution from WebDAV shares.
- Monitor process creation events, specifically looking for cmd.exe, powershell.exe, wscript.exe, mshta.exe executing with command lines containing "\webdav\", "\DavWWWRoot\", "\\.@8080\", "\\.@80\", "\\.@8443\", "\\.@443\" as described in the rule and overview.
- Review and restrict the usage of WebDAV shares within the organization, especially external shares.
- Implement application control policies to restrict the execution of unsigned or untrusted scripts.
- Enable Sysmon process creation logging to capture detailed information about process executions and command-line arguments.
Detection coverage 2
Detect Suspicious Execution from a WebDav Share
highDetects attempts to execute Windows scripts from a remote WebDav Share.
Detect Conhost Spawning from WebDav Path
mediumDetects conhost.exe spawning with parent process originating from a WebDav Share, indicating potential script execution.
Detection queries are available on the platform. Get full rules →