Potential WPAD Spoofing via DNS Record Creation

calendar Oct 15, 2024 · Domain: Endpoint OS: Windows Use Case: Threat Detection Tactic: Credential Access Data Source: Active Directory Use Case: Active Directory Monitoring Data Source: System  ·
Share on: linkedin copy

Identifies the creation of a DNS record that is potentially meant to enable WPAD spoofing. Attackers can disable the Global Query Block List (GQBL) and create a "wpad" record to exploit hosts running WPAD with default settings for privilege escalation and lateral movement.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2024/06/03"
 3integration = ["system", "windows"]
 4maturity = "production"
 5updated_date = "2024/10/15"
 6min_stack_version = "8.14.0"
 7min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
 8
 9[rule]
10author = ["Elastic"]
11description = """
12Identifies the creation of a DNS record that is potentially meant to enable WPAD spoofing. Attackers can disable the
13Global Query Block List (GQBL) and create a "wpad" record to exploit hosts running WPAD with default settings for
14privilege escalation and lateral movement.
15"""
16from = "now-9m"
17index = ["winlogbeat-*", "logs-system.*", "logs-windows.*"]
18language = "eql"
19license = "Elastic License v2"
20name = "Potential WPAD Spoofing via DNS Record Creation"
21references = [
22    "https://www.thehacker.recipes/ad/movement/mitm-and-coerced-authentications/wpad-spoofing#through-adidns-spoofing",
23    "https://cube0x0.github.io/Pocing-Beyond-DA/",
24]
25risk_score = 47
26rule_id = "894326d2-56c0-4342-b553-4abfaf421b5b"
27setup = """## Setup
28
29The 'Audit Directory Service Changes' logging policy must be configured for (Success, Failure).
30Steps to implement the logging policy with Advanced Audit Configuration:

Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policies Configuration > Audit Policies > DS Access > Audit Directory Service Changes (Success,Failure)

1
2The above policy does not cover the target object by default (we still need it to be configured to generate events), so we need to set up an AuditRule using https://github.com/OTRF/Set-AuditRule.

Set-AuditRule -AdObjectPath 'AD:\CN=MicrosoftDNS,DC=DomainDNSZones,DC=Domain,DC=com' -WellKnownSidType WorldSid -Rights CreateChild -InheritanceFlags Descendents -AttributeGUID e0fa1e8c-9b45-11d0-afdd-00c04fd930c9 -AuditFlags Success

 1"""
 2severity = "medium"
 3tags = [
 4    "Domain: Endpoint",
 5    "OS: Windows",
 6    "Use Case: Threat Detection",
 7    "Tactic: Credential Access",
 8    "Data Source: Active Directory",
 9    "Use Case: Active Directory Monitoring",
10    "Data Source: System",
11]
12timestamp_override = "event.ingested"
13type = "eql"
14
15query = '''
16any where host.os.type == "windows" and event.action in ("Directory Service Changes", "directory-service-object-modified") and
17    event.code == "5137" and winlog.event_data.ObjectDN : "DC=wpad,*"
18'''
19
20
21[[rule.threat]]
22framework = "MITRE ATT&CK"
23[[rule.threat.technique]]
24id = "T1557"
25name = "Adversary-in-the-Middle"
26reference = "https://attack.mitre.org/techniques/T1557/"
27
28
29[rule.threat.tactic]
30id = "TA0006"
31name = "Credential Access"
32reference = "https://attack.mitre.org/tactics/TA0006/"

References

Related rules

to-top