WebDAV Traffic To Malicious Sites

by Didier Stevens
Nov. 13, 2017 0 comments blog.didierstevens.com Pen Testing & Audits docx iis smb webdav windows7

If observed WebDAV traffic to malicious sites in the past (in proxy logs), and recently I took some time to take a closer look. TL;DR: when files are retrieved remotely with the file:// URI scheme on Windows, Windows will fallback to WebDAV when SMB connections can not be established. I did my tests with 2 Windows 7 VMs on the same subnet, one Windows 7 machine with IIS/WebDAV, and the other Windows 7 machine with Word 2016 and a .docx document with a remote template (template.dotx) (using the file:// URI scheme). The Windows firewall on the IIS machine was configured to block ports 139 and 445. When the .docx document is opened, Word will retrieve the template: