Query Details
09 DNS WPAD Abuse
Query
id: a1b2c3d4-0009-4a5b-8c9d-dns009wpad
name: WPAD Auto-Discovery DNS Lookup Abuse
description: |
Detects high-volume queries for 'wpad' (Web Proxy Auto-Discovery) from
multiple internal clients. WPAD abuses NetBIOS Name Service or DNS to direct
proxy configuration requests to an attacker-controlled host.
Tools like Responder and Inveigh intercept these broadcasts/queries and
respond with a fake WPAD server to capture NTLM credentials or serve
malicious PAC files redirecting all HTTP(S) traffic through the attacker.
Note: WPAD lookups without a corporate WPAD server indicate vulnerability.
MITRE T1557.001 — LLMNR/NBT-NS Poisoning and SMB Relay
severity: Medium
requiredDataConnectors:
- connectorId: WindowsDnsAma
dataTypes:
- ASimDnsActivityLogs
queryFrequency: 1h
queryPeriod: 1h
triggerOperator: gt
triggerThreshold: 0
status: Available
tactics:
- CredentialAccess
- Collection
relevantTechniques:
- T1557.001
tags:
- WPAD
- Responder
- Inveigh
- NTLM relay
- NetBIOS
query: |
ASimDnsActivityLogs
| where TimeGenerated > ago(1h)
| where DnsQuery has "wpad" or DnsQuery has "isatap"
| summarize
LookupCount = count(),
UniqueHosts = dcount(SrcIpAddr),
Hosts = make_set(SrcHostname, 20),
ResponseCode = make_set(DnsResponseCodeName)
by DnsQuery
| where UniqueHosts > 3
entityMappings:
- entityType: DNS
fieldMappings:
- identifier: DomainName
columnName: DnsQuery
alertDetailsOverride:
alertDisplayNameFormat: "WPAD Lookup Abuse — {{UniqueHosts}} hosts querying {{DnsQuery}}"
alertDescriptionFormat: "{{UniqueHosts}} internal hosts are querying '{{DnsQuery}}'. If no corporate WPAD server exists, clients are vulnerable to Responder/Inveigh NTLM credential capture. Hosts: {{Hosts}}"
customDetails:
UniqueHosts: UniqueHosts
ResponseCodes: ResponseCode
Explanation
This query is designed to detect potential security threats related to the abuse of the Web Proxy Auto-Discovery (WPAD) protocol. Here's a simplified summary:
-
Purpose: The query identifies high-volume DNS queries for "wpad" or "isatap" from multiple internal clients. This could indicate an attempt to exploit WPAD to redirect proxy configuration requests to a malicious server controlled by an attacker.
-
Threat: Attackers can use tools like Responder and Inveigh to intercept these requests and respond with a fake WPAD server. This allows them to capture NTLM credentials or serve malicious proxy configuration files, potentially redirecting all HTTP(S) traffic through the attacker's server.
-
Detection Criteria:
- The query looks at DNS activity logs from the past hour.
- It counts the number of queries and identifies unique internal hosts making these queries.
- An alert is triggered if more than three unique hosts are querying for "wpad" or "isatap".
-
Severity: The threat level is considered medium.
-
Alert Details:
- The alert will display the number of unique hosts involved and the specific query they made.
- It will also list the hostnames of the querying clients and any DNS response codes received.
-
Relevance: This is associated with the MITRE ATT&CK technique T1557.001, which involves poisoning name resolution protocols to capture credentials.
Overall, this query helps identify potential security vulnerabilities related to WPAD that could lead to credential theft or unauthorized data collection.
Details
David Alonso
Released: March 26, 2026
Tables
Keywords
Operators