Skip to content

Hide Navigation Hide TOC

Suspicious WebDav Client Execution Via Rundll32.EXE (982e9f2d-1a85-4d5b-aea4-31f5e97c6555)

Detects "svchost.exe" spawning "rundll32.exe" with command arguments like C:\windows\system32\davclnt.dll,DavSetCookie. This could be an indicator of exfiltration or use of WebDav to launch code (hosted on WebDav Server) or potentially a sign of exploitation of CVE-2023-23397

Cluster A Galaxy A Cluster B Galaxy B Level
Exfiltration Over Unencrypted Non-C2 Protocol - T1048.003 (fb8d023d-45be-47e9-bc51-f56bcae6435b) Attack Pattern Suspicious WebDav Client Execution Via Rundll32.EXE (982e9f2d-1a85-4d5b-aea4-31f5e97c6555) Sigma-Rules 1
Exfiltration Over Unencrypted Non-C2 Protocol - T1048.003 (fb8d023d-45be-47e9-bc51-f56bcae6435b) Attack Pattern Exfiltration Over Alternative Protocol - T1048 (a19e86f8-1c0a-4fea-8407-23b73d615776) Attack Pattern 2