WPAD Service Exploit
Identifies probable exploitation of the Web Proxy Auto-Discovery Protocol (WPAD) service. Attackers who have access to the local network or upstream DNS traffic can inject malicious JavaScript to the WPAD service which can lead to a full system compromise.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2020/09/02"
3integration = ["endpoint"]
4maturity = "development"
5updated_date = "2025/01/15"
6
7[rule]
8author = ["Elastic"]
9description = """
10Identifies probable exploitation of the Web Proxy Auto-Discovery Protocol (WPAD) service. Attackers who have access to
11the local network or upstream DNS traffic can inject malicious JavaScript to the WPAD service which can lead to a full
12system compromise.
13"""
14from = "now-9m"
15index = ["logs-endpoint.events.process-*", "logs-endpoint.events.network-*", "logs-endpoint.events.library-*"]
16language = "eql"
17license = "Elastic License v2"
18name = "WPAD Service Exploit"
19risk_score = 73
20rule_id = "ec328da1-d5df-482b-866c-4a435692b1f3"
21severity = "high"
22tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Defend", "Resources: Investigation Guide"]
23type = "eql"
24
25query = '''
26/* preference would be to use user.sid rather than domain+name, once it is available in ECS + datasources */
27/* didn't trigger successfully during testing */
28
29sequence with maxspan=5s
30 [process where host.os.type == "windows" and event.type == "start" and process.name : "svchost.exe" and
31 user.domain : "NT AUTHORITY" and user.name : "LOCAL SERVICE"] by process.entity_id
32 [network where host.os.type == "windows" and network.protocol : "dns" and process.name : "svchost.exe" and
33 dns.question.name : "wpad" and process.name : "svchost.exe"] by process.entity_id
34 [network where host.os.type == "windows" and process.name : "svchost.exe"
35 and network.direction : ("outgoing", "egress") and destination.port == 80] by process.entity_id
36 [library where host.os.type == "windows" and event.type : "start" and process.name : "svchost.exe" and
37 dll.name : "jscript.dll" and process.name : "svchost.exe"] by process.entity_id
38 [process where host.os.type == "windows" and event.type == "start" and
39 process.parent.name : "svchost.exe"] by process.parent.entity_id
40'''
41note = """## Triage and analysis
42
43> **Disclaimer**:
44> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
45
46### Investigating WPAD Service Exploit
47
48The Web Proxy Auto-Discovery Protocol (WPAD) helps devices on a network automatically find a proxy server. Adversaries can exploit WPAD by injecting malicious scripts into the service, potentially compromising systems. The detection rule identifies suspicious WPAD activity by monitoring specific processes and network behaviors, such as DNS queries and unusual DLL loads, to flag potential privilege escalation attempts.
49
50### Possible investigation steps
51
52- Review the process tree for the svchost.exe instance identified in the alert to understand its parent and child processes, focusing on any unusual or unexpected behavior.
53- Analyze DNS query logs for the domain "wpad" to identify any suspicious or unauthorized requests, and cross-reference with known malicious domains.
54- Examine network traffic logs for outgoing connections on port 80 from the svchost.exe process to detect any unauthorized data exfiltration or communication with suspicious external IP addresses.
55- Investigate the loading of jscript.dll by svchost.exe to determine if there are any anomalies or signs of script execution that could indicate malicious activity.
56- Check for any recent changes or anomalies in the user account associated with the LOCAL SERVICE domain, as this could indicate privilege escalation attempts.
57
58### False positive analysis
59
60- Legitimate network services using WPAD may trigger alerts if they perform DNS queries for "wpad" or communicate over port 80. To manage this, identify and whitelist known benign services that frequently use WPAD.
61- Routine system updates or software installations might cause svchost.exe to load jscript.dll, leading to false positives. Monitor and document regular update schedules and exclude these time frames from triggering alerts.
62- Some enterprise environments use custom scripts or applications that interact with WPAD for legitimate purposes. Review and document these applications, then create exceptions for their known behaviors to prevent unnecessary alerts.
63- In environments with frequent DNS changes or testing, legitimate DNS queries for WPAD might be flagged. Establish a baseline of normal DNS activity and adjust the detection rule to accommodate expected patterns.
64- If svchost.exe is commonly used by other legitimate processes in your network, consider refining the rule to include additional context or attributes that distinguish malicious from benign activity.
65
66### Response and remediation
67
68- Isolate the affected system from the network immediately to prevent further exploitation or lateral movement by the attacker.
69- Terminate any suspicious svchost.exe processes identified in the alert to stop the execution of potentially malicious scripts.
70- Conduct a thorough scan of the affected system using updated antivirus and anti-malware tools to identify and remove any malicious payloads or scripts.
71- Review and reset any potentially compromised credentials, especially those associated with the LOCAL SERVICE account, to prevent unauthorized access.
72- Apply security patches and updates to the operating system and all software to mitigate known vulnerabilities that could be exploited by similar attacks.
73- Monitor network traffic for any further suspicious DNS queries or unusual outbound connections, particularly those involving the WPAD service, to detect any ongoing or new threats.
74- Escalate the incident to the security operations center (SOC) or relevant IT security team for further investigation and to ensure comprehensive remediation and recovery efforts."""
75
76
77[[rule.threat]]
78framework = "MITRE ATT&CK"
79[[rule.threat.technique]]
80id = "T1068"
81name = "Exploitation for Privilege Escalation"
82reference = "https://attack.mitre.org/techniques/T1068/"
83
84
85[rule.threat.tactic]
86id = "TA0004"
87name = "Privilege Escalation"
88reference = "https://attack.mitre.org/tactics/TA0004/"
Triage and analysis
Disclaimer: This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
Investigating WPAD Service Exploit
The Web Proxy Auto-Discovery Protocol (WPAD) helps devices on a network automatically find a proxy server. Adversaries can exploit WPAD by injecting malicious scripts into the service, potentially compromising systems. The detection rule identifies suspicious WPAD activity by monitoring specific processes and network behaviors, such as DNS queries and unusual DLL loads, to flag potential privilege escalation attempts.
Possible investigation steps
- Review the process tree for the svchost.exe instance identified in the alert to understand its parent and child processes, focusing on any unusual or unexpected behavior.
- Analyze DNS query logs for the domain "wpad" to identify any suspicious or unauthorized requests, and cross-reference with known malicious domains.
- Examine network traffic logs for outgoing connections on port 80 from the svchost.exe process to detect any unauthorized data exfiltration or communication with suspicious external IP addresses.
- Investigate the loading of jscript.dll by svchost.exe to determine if there are any anomalies or signs of script execution that could indicate malicious activity.
- Check for any recent changes or anomalies in the user account associated with the LOCAL SERVICE domain, as this could indicate privilege escalation attempts.
False positive analysis
- Legitimate network services using WPAD may trigger alerts if they perform DNS queries for "wpad" or communicate over port 80. To manage this, identify and whitelist known benign services that frequently use WPAD.
- Routine system updates or software installations might cause svchost.exe to load jscript.dll, leading to false positives. Monitor and document regular update schedules and exclude these time frames from triggering alerts.
- Some enterprise environments use custom scripts or applications that interact with WPAD for legitimate purposes. Review and document these applications, then create exceptions for their known behaviors to prevent unnecessary alerts.
- In environments with frequent DNS changes or testing, legitimate DNS queries for WPAD might be flagged. Establish a baseline of normal DNS activity and adjust the detection rule to accommodate expected patterns.
- If svchost.exe is commonly used by other legitimate processes in your network, consider refining the rule to include additional context or attributes that distinguish malicious from benign activity.
Response and remediation
- Isolate the affected system from the network immediately to prevent further exploitation or lateral movement by the attacker.
- Terminate any suspicious svchost.exe processes identified in the alert to stop the execution of potentially malicious scripts.
- Conduct a thorough scan of the affected system using updated antivirus and anti-malware tools to identify and remove any malicious payloads or scripts.
- Review and reset any potentially compromised credentials, especially those associated with the LOCAL SERVICE account, to prevent unauthorized access.
- Apply security patches and updates to the operating system and all software to mitigate known vulnerabilities that could be exploited by similar attacks.
- Monitor network traffic for any further suspicious DNS queries or unusual outbound connections, particularly those involving the WPAD service, to detect any ongoing or new threats.
- Escalate the incident to the security operations center (SOC) or relevant IT security team for further investigation and to ensure comprehensive remediation and recovery efforts.
Related rules
- Creation or Modification of a new GPO Scheduled Task or Service
- Expired or Revoked Driver Loaded
- Parent Process PID Spoofing
- Persistence via PowerShell profile
- Persistence via TelemetryController Scheduled Task Hijack