{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/wpad-spoofing/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["medium"],"_cs_tags":["credential-access","wpad-spoofing","windows"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eWeb Proxy Auto-Discovery (WPAD) is a protocol that allows devices to automatically discover proxy settings, but it can be exploited by attackers to redirect traffic through malicious proxies. This detection identifies the creation of a \u0026ldquo;wpad\u0026rdquo; DNS record, which is a common technique used in WPAD spoofing attacks. Attackers can disable the Global Query Block List (GQBL) and create a rogue \u0026ldquo;wpad\u0026rdquo; record. The event code 5137 is logged when directory service changes are made, and this rule focuses on changes related to the creation of wpad records. This is important for defenders because successful WPAD spoofing can lead to credential access and lateral movement within the network.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to a system with sufficient privileges to modify DNS records, often an Active Directory account.\u003c/li\u003e\n\u003cli\u003eThe attacker disables the Global Query Block List (GQBL) to allow the creation of unauthorized DNS records.\u003c/li\u003e\n\u003cli\u003eThe attacker creates a new DNS record for \u0026ldquo;wpad\u0026rdquo; in Active Directory DNS, using event code 5137.\u003c/li\u003e\n\u003cli\u003eThe \u0026lsquo;ObjectDN\u0026rsquo; attribute of the DNS record contains \u0026ldquo;DC=wpad,*\u0026rdquo;.\u003c/li\u003e\n\u003cli\u003eClients on the network query the DNS server for the \u0026ldquo;wpad\u0026rdquo; record.\u003c/li\u003e\n\u003cli\u003eThe DNS server responds with the attacker-controlled IP address.\u003c/li\u003e\n\u003cli\u003eClients automatically configure their proxy settings to use the attacker\u0026rsquo;s proxy server.\u003c/li\u003e\n\u003cli\u003eThe attacker intercepts network traffic, potentially capturing credentials and sensitive data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful WPAD spoofing can allow attackers to intercept sensitive information, including credentials, as users browse the web. This can lead to further compromise of systems and data within the network. While the number of victims is difficult to quantify, the impact can be significant within an organization if the attack is successful. This attack targets organizations using default WPAD settings.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Audit Directory Service Changes to generate Windows Security Event Logs (event code 5137) as described in the setup instructions to ensure the rule functions correctly.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Potential WPAD Spoofing via DNS Record Creation\u0026rdquo; to your SIEM to detect suspicious \u0026ldquo;wpad\u0026rdquo; record creations.\u003c/li\u003e\n\u003cli\u003eReview Active Directory change history when the Sigma rule triggers to determine who made the changes to the DNS records and whether these changes were authorized, as outlined in the investigation guide.\u003c/li\u003e\n\u003cli\u003eRegularly verify the configuration of the Global Query Block List (GQBL) to ensure it has not been disabled or altered, as described in the investigation guide.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-04T14:17:05Z","date_published":"2026-05-04T14:17:05Z","id":"/briefs/2024-06-wpad-spoofing/","summary":"Detection of a Windows DNS record creation event (5137) with an ObjectDN attribute containing 'DC=wpad', which indicates a potential WPAD spoofing attack to enable privilege escalation and lateral movement.","title":"Potential WPAD Spoofing via DNS Record Creation","url":"https://feed.craftedsignal.io/briefs/2024-06-wpad-spoofing/"}],"language":"en","title":"CraftedSignal Threat Feed — Wpad-Spoofing","version":"https://jsonfeed.org/version/1.1"}