WPAD Service Exploit
Identifies probable exploitation of the Web Proxy Auto-Discovery Protocol (WPAD) service. Attackers who have access to the local network or upstream DNS traffic can inject malicious JavaScript to the WPAD service which can lead to a full system compromise.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2020/09/02"
3integration = ["endpoint"]
4maturity = "development"
5updated_date = "2024/04/08"
6
7[rule]
8author = ["Elastic"]
9description = """
10Identifies probable exploitation of the Web Proxy Auto-Discovery Protocol (WPAD) service. Attackers who have access to
11the local network or upstream DNS traffic can inject malicious JavaScript to the WPAD service which can lead to a full
12system compromise.
13"""
14from = "now-9m"
15index = ["logs-endpoint.events.process-*", "logs-endpoint.events.network-*", "logs-endpoint.events.library-*"]
16language = "eql"
17license = "Elastic License v2"
18name = "WPAD Service Exploit"
19risk_score = 73
20rule_id = "ec328da1-d5df-482b-866c-4a435692b1f3"
21severity = "high"
22tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Defend"]
23type = "eql"
24
25query = '''
26/* preference would be to use user.sid rather than domain+name, once it is available in ECS + datasources */
27/* didn't trigger successfully during testing */
28
29sequence with maxspan=5s
30 [process where host.os.type == "windows" and event.type == "start" and process.name : "svchost.exe" and
31 user.domain : "NT AUTHORITY" and user.name : "LOCAL SERVICE"] by process.entity_id
32 [network where host.os.type == "windows" and network.protocol : "dns" and process.name : "svchost.exe" and
33 dns.question.name : "wpad" and process.name : "svchost.exe"] by process.entity_id
34 [network where host.os.type == "windows" and process.name : "svchost.exe"
35 and network.direction : ("outgoing", "egress") and destination.port == 80] by process.entity_id
36 [library where host.os.type == "windows" and event.type : "start" and process.name : "svchost.exe" and
37 dll.name : "jscript.dll" and process.name : "svchost.exe"] by process.entity_id
38 [process where host.os.type == "windows" and event.type == "start" and
39 process.parent.name : "svchost.exe"] by process.parent.entity_id
40'''
41
42
43[[rule.threat]]
44framework = "MITRE ATT&CK"
45[[rule.threat.technique]]
46id = "T1068"
47name = "Exploitation for Privilege Escalation"
48reference = "https://attack.mitre.org/techniques/T1068/"
49
50
51[rule.threat.tactic]
52id = "TA0004"
53name = "Privilege Escalation"
54reference = "https://attack.mitre.org/tactics/TA0004/"
Related rules
- Potential Process Herpaderping Attempt
- Deprecated - Potential Process Injection via LD_PRELOAD Environment Variable
- Potential Linux Reverse Connection through Port Knocking
- Deprecated - Potential Reverse Shell via Suspicious Parent Process
- Deprecated - Potential DNS Tunneling via Iodine