Date: 06/16/2025
Severity: Low
Summary
Detects process executions with image paths beginning with WebDAV shares (\), which may signal malicious activity involving remote file execution. Running processes from WebDAV paths can indicate lateral movement or exploitation attempts, particularly when the process isn't a known legitimate application. Some exploits, such as CVE-2025-33053, involve executing payloads directly from WebDAV locations.
Indicators of Compromise (IOC) List
Image : | '\\\\' '\DavWWWRoot\' |
Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection
Detection Query : | (resourcename = "Windows Security" AND eventtype = "4688" ) AND (processname like "\DavWWWRoot" or Processname like "\\\\") |
Detection Query : | (technologygroup = "EDR" ) AND (processname like "\DavWWWRoot" or Processname like "\\\\") |
Detection Query : | (resourcename = "Sysmon" AND eventtype = "1" ) AND (image like "\DavWWWRoot" or image like "\\\\") |
Detection Query : | (technologygroup = "EDR") AND (image like "\DavWWWRoot" or image like "\\\\") |
Reference:
https://github.com/SigmaHQ/sigma/blob/master/rules-threat-hunting/windows/process_creation/proc_creation_win_webdav_process_execution.yml