https://feed.craftedsignal.io/tags/webdav/Trending threats, MITRE ATT&CK coverage, and detection metadata — refreshed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioTue, 09 Jan 2024 14:00:00 +0000https://feed.craftedsignal.io/briefs/2024-01-ntlm-relay-http/Tue, 09 Jan 2024 14:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-ntlm-relay-http/Adversaries may coerce local NTLM authentication over HTTP via WebDAV named-pipe paths (Print Spooler, SRVSVC), then relay credentials to elevate privileges.This detection identifies attempts to coerce local NTLM authentication over HTTP through WebDAV named-pipe paths, focusing on Print Spooler and SRVSVC. Attackers can exploit this vulnerability, often combined with tools like NTLMRelay2Self, PetitPotam, or modified versions of krbrelayx’s printerbug.py, to relay the obtained credentials and escalate their privileges within the network. This technique allows attackers to bypass traditional security measures by leveraging legitimate Windows protocols for malicious purposes. Successful exploitation can lead to domain dominance and unauthorized access to sensitive resources. This activity is often associated with post-exploitation activity following initial access via other means.

Attack Chain

1. An attacker gains initial access to a Windows system.
2. The attacker executes rundll32.exe to load davclnt.dll using the DavSetCookie function.
3. The rundll32.exe process is invoked with arguments specifying a named pipe path over HTTP, such as http*/print/pipe/*, http*/pipe/spoolss, or http*/pipe/srvsvc.
4. The system attempts to authenticate to the specified HTTP endpoint using NTLM.
5. The attacker intercepts the NTLM authentication request.
6. Using a relay tool like NTLMRelay2Self or ntlmrelayx, the attacker relays the captured NTLM credentials to another service or machine.
7. The attacker leverages the relayed credentials to escalate privileges or gain unauthorized access to network resources.
8. The attacker may then perform lateral movement, data exfiltration, or other malicious activities.

Impact

Successful exploitation allows attackers to escalate privileges within the compromised system and potentially the entire domain. This can lead to unauthorized access to sensitive data, deployment of ransomware, or other destructive activities. The impact ranges from data breaches and financial losses to complete system compromise. Depending on the targeted accounts, the attacker may be able to achieve domain administrator privileges.

Recommendation

• Deploy the Sigma rule “Potential Local NTLM Relay via HTTP” to your SIEM to detect the execution of rundll32.exe with specific arguments indicative of NTLM relay attempts.
• Enable Sysmon process creation logging to ensure the necessary data is available for the Sigma rule to function correctly.
• Monitor network connections originating from processes that load davclnt.dll to identify potential NTLM relay traffic.
• Investigate and block the usage of tools like NTLMRelay2Self, PetitPotam, and ntlmrelayx within the environment.
• Implement mitigations for NTLM relay attacks, such as enabling Extended Protection for Authentication (EPA) and disabling NTLM where possible.
• Review and restrict the usage of WebClient service and Print Spooler service where not required.

]]>highadvisoryntlm-relaycredential-accesswindowswebdavhttps://feed.craftedsignal.io/briefs/2024-01-rare-webdav/Wed, 03 Jan 2024 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-rare-webdav/This rule identifies rare connection attempts to a Web Distributed Authoring and Versioning (WebDAV) resource, where attackers may inject WebDAV paths in files opened by a victim to leak NTLM credentials via forced authentication using rundll32.exe.Attackers can exploit WebDAV by injecting WebDAV paths into files or features opened by a victim user, leading to NTLM credential leakage through forced authentication. This technique relies on the victim’s system attempting to authenticate against a malicious WebDAV server when accessing a file or link containing a WebDAV path. This threat is particularly relevant for defenders because it can lead to unauthorized access to sensitive information and potential lateral movement within the network. The attack leverages rundll32.exe to initiate the WebDAV connection, making it difficult to distinguish from legitimate system processes. The Elastic detection rule identifies rare WebDAV connection attempts to uncover potential credential access attempts.

Attack Chain

1. An attacker crafts a malicious document or link containing a WebDAV path.
2. The victim user opens the malicious document or clicks the link.
3. The operating system attempts to resolve the WebDAV path using rundll32.exe and the DavSetCookie function.
4. The system initiates an authentication attempt with the malicious WebDAV server.
5. The attacker captures the NTLM credentials during the authentication handshake.
6. The attacker relays the captured NTLM credentials to access internal resources.

Impact

Successful exploitation leads to credential compromise and potential lateral movement within the victim’s network. An attacker could gain unauthorized access to sensitive data and systems, potentially leading to data exfiltration, system compromise, or further attacks. This can impact organizations of any size and industry that rely on NTLM authentication. The severity depends on the user’s permissions and the resources they can access with their compromised credentials.

Recommendation

• Deploy the provided Sigma rule to your SIEM and tune for your environment to detect suspicious WebDAV connections initiated via rundll32.exe.
• Investigate any alerts generated by the Sigma rule, focusing on rare or unusual WebDAV destinations.
• Monitor process creation events for rundll32.exe with command-line arguments containing “DavSetCookie”, focusing on connections to external domains.
• Conduct regular security awareness training to educate users about the risks of opening unsolicited documents or clicking suspicious links.

]]>mediumadvisorycredential-accesswebdavwindows