Update windows_rundll32_webdav_with_network_connection.yml

nasbench · nasbench · commit e342920f3708 · 2025-06-17T11:44:13.000+02:00
diff --git a/detections/endpoint/windows_rundll32_webdav_with_network_connection.yml b/detections/endpoint/windows_rundll32_webdav_with_network_connection.yml
@@ -14,28 +14,45 @@ description: The following analytic detects the execution of rundll32.exe with c
   indicate exploitation of CVE-2023-23397, a known vulnerability. If confirmed malicious,
   this could allow an attacker to establish unauthorized remote connections, potentially
   leading to data exfiltration or further network compromise.
-search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
-  as lastTime FROM datamodel=Endpoint.Processes where Processes.parent_process_name=svchost.exe
-  `process_rundll32` Processes.process IN ("*\\windows\\system32\\davclnt.dll,*davsetcookie*",
-  "*\\windows\\syswow64\\davclnt.dll,*davsetcookie*") by host _time span=1h
-  by Processes.action Processes.dest Processes.original_file_name Processes.parent_process Processes.parent_process_exec 
-  Processes.parent_process_guid Processes.parent_process_id Processes.parent_process_name 
-  Processes.parent_process_path Processes.process Processes.process_exec Processes.process_guid Processes.process_hash 
-  Processes.process_id Processes.process_integrity_level Processes.process_name Processes.process_path 
-  Processes.user Processes.user_id Processes.vendor_product 
-  | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`
-  | `security_content_ctime(lastTime)` | rename dest as src | join host process_id
-  [ | tstats `security_content_summariesonly` count latest(All_Traffic.dest) as dest
-  latest(All_Traffic.dest_ip) as dest_ip latest(All_Traffic.dest_port) as dest_port
-  FROM datamodel=Network_Traffic.All_Traffic where All_Traffic.dest_port!=0 NOT (All_Traffic.dest_ip
-  IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16)) 
-  by host All_Traffic.action All_Traffic.app All_Traffic.bytes All_Traffic.bytes_in All_Traffic.bytes_out
-  All_Traffic.dest  All_Traffic.dest_ip All_Traffic.dest_port All_Traffic.dvc All_Traffic.protocol
-  All_Traffic.protocol_version All_Traffic.src All_Traffic.src_ip All_Traffic.src_port
-  All_Traffic.transport All_Traffic.user All_Traffic.vendor_product All_Traffic.direction
-  All_Traffic.process_id
-  | `drop_dm_object_name(All_Traffic)`] | `windows_rundll32_webdav_with_network_connection_filter`'
-how_to_implement: The detection is based on data that originates from Endpoint Detection
+search: |
+  | tstats `security_content_summariesonly` count 
+    min(_time) as firstTime 
+    max(_time) as lastTime 
+  FROM datamodel=Endpoint.Processes where 
+    Processes.parent_process_name=svchost.exe
+    `process_rundll32` 
+    Processes.process IN (
+      "*\\windows\\system32\\davclnt.dll,*davsetcookie*", 
+      "*\\windows\\syswow64\\davclnt.dll,*davsetcookie*") 
+  by host _time span=1h 
+    Processes.action Processes.dest Processes.original_file_name Processes.parent_process 
+    Processes.parent_process_exec Processes.parent_process_guid Processes.parent_process_id 
+    Processes.parent_process_name Processes.parent_process_path Processes.process Processes.process_exec 
+    Processes.process_guid Processes.process_hash  Processes.process_id Processes.process_integrity_level 
+    Processes.process_name Processes.process_path Processes.user Processes.user_id Processes.vendor_product 
+  | `drop_dm_object_name(Processes)` 
+  | `security_content_ctime(firstTime)`
+  | `security_content_ctime(lastTime)` 
+  | rename dest as src 
+  | join host process_id
+  [
+    | tstats `security_content_summariesonly` count 
+      latest(All_Traffic.dest) as dest
+      latest(All_Traffic.dest_ip) as dest_ip 
+      latest(All_Traffic.dest_port) as dest_port
+    FROM datamodel=Network_Traffic.All_Traffic where 
+      All_Traffic.dest_port!=0 
+      NOT (All_Traffic.dest_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16)) 
+    by host All_Traffic.action All_Traffic.app All_Traffic.bytes All_Traffic.bytes_in All_Traffic.bytes_out
+            All_Traffic.dest  All_Traffic.dest_ip All_Traffic.dest_port All_Traffic.dvc All_Traffic.protocol
+            All_Traffic.protocol_version All_Traffic.src All_Traffic.src_ip All_Traffic.src_port
+            All_Traffic.transport All_Traffic.user All_Traffic.vendor_product All_Traffic.direction
+            All_Traffic.process_id
+    | `drop_dm_object_name(All_Traffic)`
+  ] 
+  | `windows_rundll32_webdav_with_network_connection_filter`
+how_to_implement: |
+  The detection is based on data that originates from Endpoint Detection
   and Response (EDR) agents. These agents are designed to provide security-related
   telemetry from the endpoints where the agent is installed. To implement this search,
   you must ingest logs that contain the process GUID, process name, and parent process.
@@ -44,8 +61,8 @@ how_to_implement: The detection is based on data that originates from Endpoint D
   the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint`
   data model. Use the Splunk Common Information Model (CIM) to normalize the field
   names and speed up the data modeling process.
-known_false_positives: False positives will be present based on legitimate software,
-  filtering may need to occur.
+known_false_positives: |
+  False positives will be present based on legitimate software, filtering may need to occur.
 references:
 - https://strontic.github.io/xcyclopedia/library/davclnt.dll-0EA3050E7CC710526E330C413C165DA0.html
 - https://twitter.com/ACEResponder/status/1636116096506818562?s=20
