Adversaries may use WebDAV with a suspicious User Agent to exfiltrate data or establish persistence, leveraging the protocol’s ability to bypass traditional network defenses. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential data exfiltration or command and control activities that evade standard detection mechanisms.
Detection Rule
title: Windows WebDAV User Agent
id: e09aed7a-09e0-4c9a-90dd-f0d52507347e
status: test
description: Detects WebDav DownloadCradle
references:
- https://mgreen27.github.io/posts/2018/04/02/DownloadCradle.html
author: Florian Roth (Nextron Systems)
date: 2018-04-06
modified: 2021-11-27
tags:
- attack.command-and-control
- attack.t1071.001
logsource:
category: proxy
detection:
selection:
c-useragent|startswith: 'Microsoft-WebDAV-MiniRedir/'
cs-method: 'GET'
condition: selection
falsepositives:
- Administrative scripts that download files from the Internet
- Administrative scripts that retrieve certain website contents
- Legitimate WebDAV administration
level: high
imWebSession
| where HttpUserAgent startswith "Microsoft-WebDAV-MiniRedir/" and HttpRequestMethod =~ "GET"Scenario: Scheduled System Backup Using WebDAV
Description: A legitimate backup tool (e.g., Veeam, Acronis) uses WebDAV to transfer backup data to a remote server.
Filter/Exclusion: Check for known backup tools in the process name or command line, or filter by IP address of the backup server.
Scenario: Admin Task Using WebDAV for File Sync
Description: An administrator uses a sync tool (e.g., Microsoft OneDrive, Syncthing) to synchronize files between servers via WebDAV.
Filter/Exclusion: Filter by user account (e.g., Administrator), or check for known sync tools in the process name.
Scenario: WebDAV Used for Software Deployment
Description: A deployment tool (e.g., SCCM, Ansible) uses WebDAV to push updates or configuration files to target machines.
Filter/Exclusion: Filter by process name (e.g., msiexec.exe, ansible.exe) or check for known deployment tools in the command line.
Scenario: WebDAV Access for Remote File Management
Description: A system administrator uses a remote management tool (e.g., WinSCP, FileZilla) to access and manage files on a remote Windows server via WebDAV.
Filter/Exclusion: Filter by user account, or check for known file transfer tools in the process name or command line.
Scenario: WebDAV Used for Internal File Sharing
Description: A team uses a file-sharing solution (e.g., SharePoint, SharePoint Online) that internally uses WebDAV for content delivery.
Filter/Exclusion: Filter by domain or IP address of the internal SharePoint server, or check for known SharePoint-related processes.