{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/webdav/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Microsoft Defender XDR","SentinelOne Cloud Funnel"],"_cs_severities":["high"],"_cs_tags":["ntlm-relay","credential-access","windows","webdav"],"_cs_type":"advisory","_cs_vendors":["Elastic","Microsoft","SentinelOne","Crowdstrike"],"content_html":"\u003cp\u003eThis detection identifies attempts to coerce local NTLM authentication over HTTP through WebDAV named-pipe paths, focusing on Print Spooler and SRVSVC. Attackers can exploit this vulnerability, often combined with tools like NTLMRelay2Self, PetitPotam, or modified versions of krbrelayx\u0026rsquo;s printerbug.py, to relay the obtained credentials and escalate their privileges within the network. This technique allows attackers to bypass traditional security measures by leveraging legitimate Windows protocols for malicious purposes. Successful exploitation can lead to domain dominance and unauthorized access to sensitive resources. This activity is often associated with post-exploitation activity following initial access via other means.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a Windows system.\u003c/li\u003e\n\u003cli\u003eThe attacker executes \u003ccode\u003erundll32.exe\u003c/code\u003e to load \u003ccode\u003edavclnt.dll\u003c/code\u003e using the \u003ccode\u003eDavSetCookie\u003c/code\u003e function.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003erundll32.exe\u003c/code\u003e process is invoked with arguments specifying a named pipe path over HTTP, such as \u003ccode\u003ehttp*/print/pipe/*\u003c/code\u003e, \u003ccode\u003ehttp*/pipe/spoolss\u003c/code\u003e, or \u003ccode\u003ehttp*/pipe/srvsvc\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe system attempts to authenticate to the specified HTTP endpoint using NTLM.\u003c/li\u003e\n\u003cli\u003eThe attacker intercepts the NTLM authentication request.\u003c/li\u003e\n\u003cli\u003eUsing a relay tool like NTLMRelay2Self or ntlmrelayx, the attacker relays the captured NTLM credentials to another service or machine.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the relayed credentials to escalate privileges or gain unauthorized access to network resources.\u003c/li\u003e\n\u003cli\u003eThe attacker may then perform lateral movement, data exfiltration, or other malicious activities.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to escalate privileges within the compromised system and potentially the entire domain. This can lead to unauthorized access to sensitive data, deployment of ransomware, or other destructive activities. The impact ranges from data breaches and financial losses to complete system compromise. Depending on the targeted accounts, the attacker may be able to achieve domain administrator privileges.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Potential Local NTLM Relay via HTTP\u0026rdquo; to your SIEM to detect the execution of \u003ccode\u003erundll32.exe\u003c/code\u003e with specific arguments indicative of NTLM relay attempts.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process creation logging to ensure the necessary data is available for the Sigma rule to function correctly.\u003c/li\u003e\n\u003cli\u003eMonitor network connections originating from processes that load \u003ccode\u003edavclnt.dll\u003c/code\u003e to identify potential NTLM relay traffic.\u003c/li\u003e\n\u003cli\u003eInvestigate and block the usage of tools like NTLMRelay2Self, PetitPotam, and ntlmrelayx within the environment.\u003c/li\u003e\n\u003cli\u003eImplement mitigations for NTLM relay attacks, such as enabling Extended Protection for Authentication (EPA) and disabling NTLM where possible.\u003c/li\u003e\n\u003cli\u003eReview and restrict the usage of WebClient service and Print Spooler service where not required.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-09T14:00:00Z","date_published":"2024-01-09T14:00:00Z","id":"/briefs/2024-01-ntlm-relay-http/","summary":"Adversaries may coerce local NTLM authentication over HTTP via WebDAV named-pipe paths (Print Spooler, SRVSVC), then relay credentials to elevate privileges.","title":"Potential Local NTLM Relay via HTTP","url":"https://feed.craftedsignal.io/briefs/2024-01-ntlm-relay-http/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Microsoft Defender XDR","Elastic Defend","CrowdStrike"],"_cs_severities":["medium"],"_cs_tags":["credential-access","webdav","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Elastic","Crowdstrike"],"content_html":"\u003cp\u003eAttackers can exploit WebDAV by injecting WebDAV paths into files or features opened by a victim user, leading to NTLM credential leakage through forced authentication. This technique relies on the victim\u0026rsquo;s system attempting to authenticate against a malicious WebDAV server when accessing a file or link containing a WebDAV path. This threat is particularly relevant for defenders because it can lead to unauthorized access to sensitive information and potential lateral movement within the network. The attack leverages \u003ccode\u003erundll32.exe\u003c/code\u003e to initiate the WebDAV connection, making it difficult to distinguish from legitimate system processes. The Elastic detection rule identifies rare WebDAV connection attempts to uncover potential credential access attempts.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker crafts a malicious document or link containing a WebDAV path.\u003c/li\u003e\n\u003cli\u003eThe victim user opens the malicious document or clicks the link.\u003c/li\u003e\n\u003cli\u003eThe operating system attempts to resolve the WebDAV path using \u003ccode\u003erundll32.exe\u003c/code\u003e and the \u003ccode\u003eDavSetCookie\u003c/code\u003e function.\u003c/li\u003e\n\u003cli\u003eThe system initiates an authentication attempt with the malicious WebDAV server.\u003c/li\u003e\n\u003cli\u003eThe attacker captures the NTLM credentials during the authentication handshake.\u003c/li\u003e\n\u003cli\u003eThe attacker relays the captured NTLM credentials to access internal resources.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation leads to credential compromise and potential lateral movement within the victim\u0026rsquo;s network. An attacker could gain unauthorized access to sensitive data and systems, potentially leading to data exfiltration, system compromise, or further attacks. This can impact organizations of any size and industry that rely on NTLM authentication. The severity depends on the user\u0026rsquo;s permissions and the resources they can access with their compromised credentials.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided Sigma rule to your SIEM and tune for your environment to detect suspicious WebDAV connections initiated via \u003ccode\u003erundll32.exe\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule, focusing on rare or unusual WebDAV destinations.\u003c/li\u003e\n\u003cli\u003eMonitor process creation events for \u003ccode\u003erundll32.exe\u003c/code\u003e with command-line arguments containing \u0026ldquo;DavSetCookie\u0026rdquo;, focusing on connections to external domains.\u003c/li\u003e\n\u003cli\u003eConduct regular security awareness training to educate users about the risks of opening unsolicited documents or clicking suspicious links.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-rare-webdav/","summary":"This rule identifies rare connection attempts to a Web Distributed Authoring and Versioning (WebDAV) resource, where attackers may inject WebDAV paths in files opened by a victim to leak NTLM credentials via forced authentication using rundll32.exe.","title":"Rare Connection to WebDAV Target via Rundll32","url":"https://feed.craftedsignal.io/briefs/2024-01-rare-webdav/"}],"language":"en","title":"CraftedSignal Threat Feed — Webdav","version":"https://jsonfeed.org/version/1.1"}