Suspicious File Execution From Internet Hosted WebDav Share

About the rule

Rule Type

Standard

Rule Description

This rule detects the execution of files hosted on remote WebDAV shares over the internet. Attackers often exploit WebDAV (Web Distributed Authoring and Versioning) to deliver payloads without writing them to disk, thereby bypassing traditional detection mechanisms. By mapping a malicious remote share and executing the payload directly, adversaries can run malware from memory or temporary locations. This technique is stealthy and often used in file less attacks or initial access phases.

Severity

Trouble

Rule journey

Attack chain scenario

Initial Access → Execution → Remote File Execution via WebDAV → Defense Evasion (fileless execution) → Persistence or Payload Deployment → Command and Control Communication

Impact

• Malware execution
• Bypass of endpoint security
• Persistence and privilege escalation
• Data exfiltration risk

Rule Requirement

Prerequisites

Using Windows event viewer:
To enable detailed process tracking in a domain environment, log in to a domain controller using domain admin credentials and open the Group Policy Management Console (GPMC). Create or edit a GPO linked to the target OU and navigate to the Advanced Audit Policy Configuration section to enable success auditing for both process creation and termination. To capture command-line details, enable the Include command line in process creation events setting under Audit Process Creation. Additionally, create the Microsoft-Windows-Security-Auditing/Operational registry key in the specified EventLog path to support enhanced auditing.

Using Sysmon:
To enable detailed process monitoring using Sysmon, first download and install it from Microsoft Sysinternals. Run Command Prompt as an administrator and install Sysmon with a configuration file that includes process creation tracking using sysmon.exe -i [configfile.xml]. Ensure your configuration includes a <ProcessCreate> filter to capture all process creation events. Additionally, create the Microsoft-Windows-Sysmon/Operational registry key under the EventLog path if it doesn’t already exist.

Criteria

Detection

Execution Mode

realtime

Log Sources

Windows

MITRE ATT&CK

Execution: Command and Scripting Interpreter - PowerShell (T1059.001)

Security Standards

Enabling this rule will help you meet the security standard's requirement listed below:

DE.CM-09: Computing hardware and software, runtime environments, and their data are monitored to find potentially adverse events.
PR.DS-01: Data-at-rest and data-in-transit are protected.

By detecting remote execution of files via WebDAV, this rule ensures early identification of stealthy fileless or memory-based attacks that may bypass traditional security controls.

Author

pH-T (Nextron Systems)

Future actions

Known False Positives

Legitimate use of WebDAV to remotely execute scripts or installers during software deployments, remote management, third party tools or by developers in testing enviornment.

Next Steps

When this rule is triggered, the following measures can be implemented:

• Identification: Check if the source process has elevated privileges or comes from an unusual user account.
• Analysis: Look for follow-up activity such as credential dumping, registry hive access, or lateral movement attempts.
• Response: Isolate the host, terminate associated processes, and revoke any potentially compromised credentials. Review recent VSS (Volume Shadow Copy) activity and audit for unauthorized access attempts.
• Restrict access : Limit access to mklink and VSS paths to trusted users and processes.

Mitigation