Process Execution From WebDAV Share

    Date: 06/16/2025

    Severity: Low

    Summary

    Detects process executions with image paths beginning with WebDAV shares (\), which may signal malicious activity involving remote file execution. Running processes from WebDAV paths can indicate lateral movement or exploitation attempts, particularly when the process isn't a known legitimate application. Some exploits, such as CVE-2025-33053, involve executing payloads directly from WebDAV locations.

    Indicators of Compromise (IOC) List

    Image : 

    '\\\\'

    '\DavWWWRoot\'

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query : 

    (resourcename = "Windows Security"  AND eventtype = "4688"  ) AND  (processname like "\DavWWWRoot" or Processname like "\\\\")

    Detection Query : 

    (technologygroup = "EDR"  ) AND  (processname like "\DavWWWRoot" or Processname like "\\\\")

    Detection Query :

    (resourcename = "Sysmon"  AND eventtype = "1"  ) AND  (image like "\DavWWWRoot"  or image like "\\\\")

    Detection Query :

    (technologygroup = "EDR") AND  (image like "\DavWWWRoot"  or image like "\\\\")

    Reference:

    https://github.com/SigmaHQ/sigma/blob/master/rules-threat-hunting/windows/process_creation/proc_creation_win_webdav_process_execution.yml

     


    Tags

    SigmaVulnerabilityCVE-2025WebDAVExploit

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags