![]() WebClient service (Microsoft-WebDAV-MiniRedir/).To summarize, when the file:// URI scheme is used in a Word document and SMB connections can not be established, we will see WebDAV requests from: WebClient (WebClnt.dll) is the WebDAV service: The svchost service host process will load and start the WebClient service: This TCP connection originates from the WebClient service: This TCP connection originates from the Word process:Īnd about 3 seconds after this request, we get another WebDAV request:įor this request, the User Agent string is “Microsoft-WebDAV-MiniRedir/”. This is a WebDAV request, notice the User Agent string “DavClnt”: There are no packets coming back from the IIS machine (I blocked port 139 and 445), and after almost 30 seconds we see an HTTP request to port 80 on the IIS machine: docx document is opened, Word will retrieve the template:įirst we see attempts to connect on ports 445 and 139 on the IIS machine (SYN packets): The Windows firewall on the IIS machine was configured to block ports 139 and 445. docx document with a remote template (template.dotx) (using the file:// URI scheme). I did my tests with 2 Windows 7 VMs on the same subnet, one Windows 7 machine with IIS/WebDAV, and the other Windows 7 machine with Word 2016 and a. TL DR: when files are retrieved remotely with the file:// URI scheme on Windows, Windows will fallback to WebDAV when SMB connections can not be established. I observed WebDAV traffic to malicious sites in the past (in proxy logs), and recently I took some time to take a closer look. ![]()
0 Comments
Leave a Reply. |