Skip to content

Hide Navigation Hide TOC

WebDav Client Execution Via Rundll32.EXE (2dbd9d3d-9e27-42a8-b8df-f13825c6c3d5)

Detects "svchost.exe" spawning "rundll32.exe" with command arguments like "C:\windows\system32\davclnt.dll,DavSetCookie". This could be an indicator of exfiltration or use of WebDav to launch code (hosted on a WebDav server).

Cluster A Galaxy A Cluster B Galaxy B Level
WebDav Client Execution Via Rundll32.EXE (2dbd9d3d-9e27-42a8-b8df-f13825c6c3d5) Sigma-Rules Exfiltration Over Unencrypted Non-C2 Protocol - T1048.003 (fb8d023d-45be-47e9-bc51-f56bcae6435b) Attack Pattern 1
Exfiltration Over Unencrypted Non-C2 Protocol - T1048.003 (fb8d023d-45be-47e9-bc51-f56bcae6435b) Attack Pattern Exfiltration Over Alternative Protocol - T1048 (a19e86f8-1c0a-4fea-8407-23b73d615776) Attack Pattern 2