First, let’s connect the ANY.RUN Sandbox<\/a> to the local network (if unsure how, check this article<\/a>). We’ll use ping <\/strong>command to verify connectivity:<\/p>\n\n\n\n![\"\"](\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/04\/1-1.png\")
A look at the offensive and defensive angles. <\/p>\n\n\n\n
WebDAV, short for Web Distributed Authoring and Versioning, is an extension of the Hypertext Transfer Protocol (HTTP).<\/p>\n\n\n\n
WebDAV is used for managing files on web servers. It allows users to create, edit, move, and delete files directly on a server. Many organizations use a WebDAV client to facilitate easier interaction with WebDAV-enabled servers.<\/p>\n\n\n\n
Attackers often place malicious payloads on remote servers, which are then downloaded and executed on the user’s PC using scripts or other methods. One type of server attackers can leverage is WebDAV (Web Distributed Authoring and Versioning) \u2014 a file transfer protocol built on top of HTTP. <\/p>\n\n\n\n
In this article, we’ll explore how a WebDAV vulnerability attack is carried out from the offensive perspective, and then examine how to detect and defend against it defensively.\u00a0<\/p>\n\n\n\n
First, we’ll simulate an attack using a WebDAV server targeting a client PC to understand what it looks like offensively. Then from the defensive side, we’ll analyze a real-world example that loads malware like AsyncRat\/Purelogs, discuss detection methods, and write some detection rules. <\/p>\n\n\n\n
To simulate the attack<\/a>, we need two hosts: one running a Linux OS (we’ll use Kali Linux), and the other running Windows (we’ll use the ANY.RUN virtual machine). <\/p>\n\n\n\n First, let’s connect the ANY.RUN Sandbox<\/a> to the local network (if unsure how, check this article<\/a>). We’ll use ping <\/strong>command to verify connectivity:<\/p>\n\n\n\n