{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/threat_detection/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Windows","Elastic Endgame","Elastic Defend","Microsoft Defender XDR","SentinelOne Cloud Funnel","Crowdstrike"],"_cs_severities":["high"],"_cs_tags":["execution","webdav","windows","threat_detection"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Elastic","Crowdstrike","SentinelOne"],"content_html":"\u003cp\u003eThis detection identifies attempts to execute or invoke content directly from remote WebDAV shares on Windows systems. Attackers may abuse WebDAV paths, public tunnels (like trycloudflare.com), or host@port UNC paths to run tools or scripts while minimizing local staging on the victim file system. The detection focuses on specific command-line patterns indicative of WebDAV usage, such as paths containing \u0026ldquo;trycloudflare.com\u0026rdquo;, \u0026ldquo;@SSL\u0026rdquo;, \u0026ldquo;\\webdav\\\u0026rdquo;, \u0026ldquo;\\DavWWWRoot\\\u0026rdquo;, \u0026ldquo;\u003cem\u003e.\u003c/em\u003e@8080\u0026rdquo;, \u0026ldquo;\u003cem\u003e.\u003c/em\u003e@80\u0026rdquo;, \u0026ldquo;\u003cem\u003e.\u003c/em\u003e@8443\u0026rdquo;, or \u0026ldquo;\u003cem\u003e.\u003c/em\u003e@443\u0026rdquo;. The rule is designed to identify potentially malicious activity involving the execution of processes like cmd.exe, powershell.exe, conhost.exe, wscript.exe, mshta.exe, curl.exe, msiexec.exe, bitsadmin.exe, and net.exe from WebDAV shares. This technique can bypass traditional security measures that rely on detecting locally staged malware. The rule has been in production since 2025/08/19, and updated on 2026/05/03, demonstrating ongoing relevance.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to the target system (e.g., through phishing or exploiting a vulnerability).\u003c/li\u003e\n\u003cli\u003eThe attacker identifies a WebDAV share accessible from the target system, potentially hosted on a public tunnel like trycloudflare.com or using a non-standard port.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious command that executes a script or binary directly from the remote WebDAV share using cmd.exe, powershell.exe, or similar tools.\u003c/li\u003e\n\u003cli\u003eThe command line includes a WebDAV path, such as \u003ccode\u003e\\\\webdav\\\u003c/code\u003e, \u003ccode\u003e\\DavWWWRoot\\\u003c/code\u003e, or a UNC path with a port number like \u003ccode\u003e\\\\host@8080\\\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe target system attempts to retrieve and execute the specified file from the WebDAV share.\u003c/li\u003e\n\u003cli\u003eThe executed script or binary performs malicious actions, such as downloading additional payloads, establishing persistence, or exfiltrating data.\u003c/li\u003e\n\u003cli\u003eThe attacker may use tools like mshta.exe or bitsadmin.exe to bypass security restrictions and facilitate the execution of the malicious code.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their objective, which may include data theft, system compromise, or ransomware deployment.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to execute arbitrary code on the target system without writing files to disk, making detection more difficult. Compromised systems can be used to steal sensitive data, establish a foothold for further attacks, or disrupt business operations. The absence of locally staged files hinders forensic analysis and incident response. Organizations are at risk of data breaches, financial losses, and reputational damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;WebDAV Share Execution via Suspicious Process\u0026rdquo; to detect command-line execution from WebDAV shares using specified processes and command-line patterns. Enable process creation logging with command line arguments on Windows systems (Sysmon Event ID 1 or Windows Security Event Logs) to ensure the rule functions correctly.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;WebDAV Share Execution via Curl\u0026rdquo; to detect command-line execution from WebDAV shares specifically using curl. This rule complements the general WebDAV execution detection by focusing on a specific tool. Ensure network connection logging is enabled to capture curl\u0026rsquo;s network activity.\u003c/li\u003e\n\u003cli\u003eReview and harden WebDAV and WebClient configurations to restrict unnecessary usage. Implement application control or attack surface reduction policies to limit direct execution from remote shares, as recommended in the \u0026ldquo;Post-incident hardening\u0026rdquo; section of the report.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the rules, focusing on the launcher identity, parent lineage, child processes, and network connections, as outlined in the \u0026ldquo;Triage and analysis\u0026rdquo; section to determine if the activity is malicious or a legitimate use of WebDAV.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T15:00:00Z","date_published":"2024-01-03T15:00:00Z","id":"/briefs/2024-01-webdav-execution/","summary":"This rule detects attempts to execute content from remote WebDAV shares, where attackers may abuse WebDAV paths, public tunnels, or host@port UNC paths to execute tools or scripts, reducing local staging on the victim's file system.","title":"Suspicious Execution from WebDAV Share","url":"https://feed.craftedsignal.io/briefs/2024-01-webdav-execution/"}],"language":"en","title":"CraftedSignal Threat Feed — Threat_detection","version":"https://jsonfeed.org/version/1.1"}