WPAD Service Exploit

calendar Apr 16, 2024 · Domain: Endpoint OS: Windows Use Case: Threat Detection Tactic: Privilege Escalation Data Source: Elastic Defend  ·
Share on: linkedin copy

Identifies probable exploitation of the Web Proxy Auto-Discovery Protocol (WPAD) service. Attackers who have access to the local network or upstream DNS traffic can inject malicious JavaScript to the WPAD service which can lead to a full system compromise.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2020/09/02"
 3integration = ["endpoint"]
 4maturity = "development"
 5updated_date = "2024/04/08"
 6
 7[rule]
 8author = ["Elastic"]
 9description = """
10Identifies probable exploitation of the Web Proxy Auto-Discovery Protocol (WPAD) service. Attackers who have access to
11the local network or upstream DNS traffic can inject malicious JavaScript to the WPAD service which can lead to a full
12system compromise.
13"""
14from = "now-9m"
15index = ["logs-endpoint.events.process-*", "logs-endpoint.events.network-*", "logs-endpoint.events.library-*"]
16language = "eql"
17license = "Elastic License v2"
18name = "WPAD Service Exploit"
19risk_score = 73
20rule_id = "ec328da1-d5df-482b-866c-4a435692b1f3"
21severity = "high"
22tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Defend"]
23type = "eql"
24
25query = '''
26/* preference would be to use user.sid rather than domain+name, once it is available in ECS + datasources */
27/* didn't trigger successfully during testing */
28
29sequence with maxspan=5s
30  [process where host.os.type == "windows" and event.type == "start" and process.name : "svchost.exe" and
31     user.domain : "NT AUTHORITY" and user.name : "LOCAL SERVICE"] by process.entity_id
32  [network where host.os.type == "windows" and network.protocol : "dns" and process.name : "svchost.exe" and
33     dns.question.name : "wpad" and process.name : "svchost.exe"] by process.entity_id
34  [network where host.os.type == "windows" and process.name : "svchost.exe"
35     and network.direction : ("outgoing", "egress") and destination.port == 80] by process.entity_id
36  [library where host.os.type == "windows" and event.type : "start" and process.name : "svchost.exe" and
37     dll.name : "jscript.dll" and process.name : "svchost.exe"] by process.entity_id
38  [process where host.os.type == "windows" and event.type == "start" and
39     process.parent.name : "svchost.exe"] by process.parent.entity_id
40'''
41
42
43[[rule.threat]]
44framework = "MITRE ATT&CK"
45[[rule.threat.technique]]
46id = "T1068"
47name = "Exploitation for Privilege Escalation"
48reference = "https://attack.mitre.org/techniques/T1068/"
49
50
51[rule.threat.tactic]
52id = "TA0004"
53name = "Privilege Escalation"
54reference = "https://attack.mitre.org/tactics/TA0004/"

Related rules

to-top