The detection rule titled 'Rare Connection to WebDAV Target' aims to identify infrequent connection attempts to Web Distributed Authoring and Versioning (WebDAV) resources. These types of connections may signal a potential credential theft attempt where attackers could inject WebDAV paths in files or features opened by users to retrieve NTLM credentials through forced authentication. To operate, the rule focuses on analyzing process start events, particularly those involving 'rundll32.exe' and the command-line parameter 'DavSetCookie'. The rule employs regex to extract and validate WebDAV target URLs, ensuring they are not from well-known safe domains or internal networks (e.g., local IP address ranges). The rule aggregates results to find cases where a single host connects to a WebDAV target no more than three times within an 8-hour period, suggesting suspicious activity. For context, the MITRE ATT&CK technique T1187 (Forced Authentication) is referenced, underscoring the rule's relevance to credential access threats. Recommended investigation steps include examining the reputation of the connection target, cross-referencing with user activities, and reviewing other security logs for related events. Aimed at IT security teams for monitoring, response efforts should focus on password resets and engaging incident response teams for deeper investigation.