IMPORTANT: No additional bug fixes or documentation updates
will be released for this version. For the latest information, see the
current release documentation.
WPAD Service Exploit
editWPAD Service Exploit
editIdentifies probable exploitation of the Web Proxy Auto-Discovery Protocol (WPAD) service. Attackers who have access to the local network or upstream DNS traffic can inject malicious JavaScript to the WPAD service which can lead to a full system compromise.
Rule type: eql
Rule indices:
- logs-endpoint.events.*
Severity: high
Risk score: 73
Runs every: 5m
Searches indices from: now-9m (Date Math format, see also Additional look-back time)
Maximum alerts per execution: 100
References: None
Tags:
- Domain: Endpoint
- OS: Windows
- Use Case: Threat Detection
- Tactic: Privilege Escalation
- Data Source: Elastic Defend
Version: 1
Rule authors:
- Elastic
Rule license: Elastic License v2
Rule query
edit/* preference would be to use user.sid rather than domain+name, once it is available in ECS + datasources */
/* didn't trigger successfully during testing */
sequence with maxspan=5s
[process where host.os.type == "windows" and event.type == "start" and process.name : "svchost.exe" and
user.domain : "NT AUTHORITY" and user.name : "LOCAL SERVICE"] by process.entity_id
[network where host.os.type == "windows" and network.protocol : "dns" and process.name : "svchost.exe" and
dns.question.name : "wpad" and process.name : "svchost.exe"] by process.entity_id
[network where host.os.type == "windows" and process.name : "svchost.exe"
and network.direction : ("outgoing", "egress") and destination.port == 80] by process.entity_id
[library where host.os.type == "windows" and event.type : "start" and process.name : "svchost.exe" and
dll.name : "jscript.dll" and process.name : "svchost.exe"] by process.entity_id
[process where host.os.type == "windows" and event.type == "start" and
process.parent.name : "svchost.exe"] by process.parent.entity_id
Framework: MITRE ATT&CKTM
-
Tactic:
- Name: Privilege Escalation
- ID: TA0004
- Reference URL: https://attack.mitre.org/tactics/TA0004/
-
Technique:
- Name: Exploitation for Privilege Escalation
- ID: T1068
- Reference URL: https://attack.mitre.org/techniques/T1068/