Threat Research

Will WebClient Start – SpecterOps

CTI
Will WebClient Start – SpecterOps

The author investigated whether a low-privileged remote user can start the WebClient service to enable targeted NTLM relay and found multiple programmatic and indirect methods (ETW event, net.exe, explorer, searchConnector.ms) all funnel to davclnt.dll triggering an ETW event that ultimately starts the service. The final blocker is the UBPM ETW consumer security descriptor which restricts relayed events to UWPs, SYSTEM, Administrators or LOCAL, preventing successful remote start by non-admin RPC calls without additional privilege or token conditions. #WebClient #davclnt.dll

Keypoints

  • WebClient expands NTLM relay opportunities (HTTP→LDAP/HTTPS) and is a useful target when SMB protections block SMB-based relays.
  • Multiple low-privilege actions (ETW event registration, net.exe mapping, explorer UNC browse, searchConnector.ms) all lead to davclnt.dll calling EtwEventRegister/EtwEventWrite to trigger WebClient start.
  • davclnt!TriggerStartWebClientService is reached via MPR → NPGetResourceInformation / NPAddConnection3 flows, linking network provider calls to the service start path.
  • efslsaext.dll (EFS LSA extension) RPC methods can reach MPR!WNetGetResourceInformationW, enabling a remote RPC-based path that can potentially trigger the service if environmental checks are satisfied.
  • Remote RPC approach requires a controlled SMB server and WebDav server sequence to satisfy file/share checks and force provider iteration to WebClient.
  • The root cause blocking non-admin remote start is the UBPM ETW consumer security descriptor which only allows UWPs, SYSTEM, Administrators or LOCAL to relay events; RPC impersonation yields a network token without LOCAL SID.
  • On Windows 11 the EFS LSA extension behavior changed (EFS service split into separate service DLLs) and no clear RPC path from Efssvc RPC methods to start WebClient was found; UBPM ACLs remain the main blocker.

MITRE Techniques

  • [T1562 ] Impair Defenses – Using ETW event triggers (EtwEventRegister/EtwEventWrite) to start the WebClient service, enabling NTLM relay: “…call EtwEventRegister and EtwEventWrite with the event GUID… it will trigger an event that starts the WebClient service.”
  • [T1176 ] Scripting – Using net.exe to map a DAV server to a drive which triggers davclnt.dll and starts WebClient: “…net.exe use s: http://dav-server will map the s drive to the dav server location and start the service.”
  • [T1204 ] User Execution – Leveraging Explorer browsing to a UNC/network path or searchConnector.ms to trigger WebClient startup via davclnt: “…open explorer.exe and set the file path to a UNC/network path and browse to a dav share. Doing this will start WebClient.” and “searchConnector.ms … if a user browses … it will start the WebClient service.”
  • [T1095 ] Non-Application Layer Protocol – Abusing SMB and WebDAV interactions and provider iteration (MPR.dll) to coerce the target to reach davclnt and trigger service start: “…MPR will take the providers found in the registry and in the order specified will attempt to interact with a provided resource… davclnt.dll referenced there.”
  • [T1046 ] Network Service Scanning – Remote triage for pipeDAV RPC SERVICE named pipe to determine if WebClient is running: “…check for the pipeDAV RPC SERVICE named pipe on a target to determine if WebClient is running remotely.”

Indicators of Compromise

  • [File/Module ] binaries implicated in service start – davclnt.dll, davhlpr.dll, MPR.dll, efslsaext.dll (these DLLs were analyzed as entry points to trigger WebClient)
  • [Registry ] WebClient provider path – HKLMSYSTEMCurrentControlSetServicesWebClientNetworkProvider (references davclnt.dll)
  • [GUID ] ETW/event GUID used to trigger service – 22b6d684-fa63-4578-87c9-effcbe6643c7 (used with EtwEventRegister/EtwEventWrite)
  • [WNF State ] temporary state name – discovered via RtlTestAndPublishWnfStateData for the WebClient start WNF message (temporary, non-persistent state name; access attempts returned ACCESS_DENIED without SYSTEM)
  • [Repository/Tool ] PoC/tooling – rpc2wc GitHub repo for RPC/WebDAV/SMB tooling and WNF test code: https://github.com/0xthirteen/rpc2wc

Read more: https://specterops.io/blog/2025/08/19/will-webclient-start

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint