Tag
high
advisory
Potential Local NTLM Relay via HTTP
2 rules 1 TTPAdversaries may coerce local NTLM authentication over HTTP via WebDAV named-pipe paths (Print Spooler, SRVSVC), then relay credentials to elevate privileges.
Microsoft Defender XDR +1
ntlm-relay
credential-access
windows
webdav
2r
1t
medium
advisory
Rare Connection to WebDAV Target via Rundll32
2 rules 2 TTPsThis rule identifies rare connection attempts to a Web Distributed Authoring and Versioning (WebDAV) resource, where attackers may inject WebDAV paths in files opened by a victim to leak NTLM credentials via forced authentication using rundll32.exe.
Microsoft Defender XDR +2
credential-access
webdav
windows
2r
2t