Original Analytic¶

alert http any any - any any
(
msg: "POLICY [ANY.RUN] A suspicious Lnk file leading to a WebDAV resource was downloaded";
flow: established, to_client;
http.stat_code;
content:"200";

file_data;
content: "|400 0000 01140200 00000000 0000000 00000046|";depth: 28;
pcre: "/\x5c\x00\x5c(?:\x00 [a-z0-9\.\-\_])+\x00@/R";
classtype: policy-violation;
metadata: tag webdav, created_at 2024_03_20;
sid: 8001397; rev: 1;
)

Analyic Source: ANY.RUN

Original Analytic Scoring¶

The Suricata rule looks for the 20-byte sequence 4C 00 00 00 01 14 02 00 00 00 00 00 C0 00 00 00 00 00 00 46 at the start of the file, and a regular expression (regex) pattern to match double-backslash \\ followed by an arbitrary-length series of lowercase letters, digits, periods, dashes, and underscore characters followed by the @ symbol. According to Microsoft documentation, the first 4 bytes of an LNK file must equal the hexadecimal value 0x0000004C, and the next 16 bytes must equal the Shell Link Class ID 00021401-0000-0000-C000-000000000046. [1] Therefore, the 20-byte sequence in this Suricata rule is robust enough to specifically identify LNK files, and this observable would have an analytic robustness score of Level 4: Core to Some Implementations of (Sub-)Technique. Furthermore, the regex pattern for the WebDAV UNC path is general enough to allow either an IP address or a host/domain name followed by the @ symbol. The analytic robustness of the regex pattern is also Level 4: Core to Some Implementations of (Sub-)Technique. The event robustness is Column P: Payload Visibility, because it relies on visibility of the HTTP body section, and the overall robustness score for this rule is 4P.

References