Query Details

WPAD Auto-Discovery DNS Lookup Abuse

09 DNS WPAD Abuse

Query

ASimDnsActivityLogs
| where TimeGenerated > ago(1h)
| where DnsQuery has "wpad" or DnsQuery has "isatap"
| summarize
    LookupCount  = count(),
    UniqueHosts  = dcount(SrcIpAddr),
    Hosts        = make_set(SrcHostname, 20),
    ResponseCode = make_set(DnsResponseCodeName)
  by DnsQuery
| where UniqueHosts > 3

Explanation

This query is designed to detect potential security threats related to the abuse of the Web Proxy Auto-Discovery (WPAD) protocol. Here's a simplified summary:

  • Purpose: The query identifies high-volume DNS queries for "wpad" or "isatap" from multiple internal clients. This could indicate an attempt to exploit WPAD to redirect proxy configuration requests to a malicious server controlled by an attacker.

  • Threat: Attackers can use tools like Responder and Inveigh to intercept these requests and respond with a fake WPAD server. This allows them to capture NTLM credentials or serve malicious proxy configuration files, potentially redirecting all HTTP(S) traffic through the attacker's server.

  • Detection Criteria:

    • The query looks at DNS activity logs from the past hour.
    • It counts the number of queries and identifies unique internal hosts making these queries.
    • An alert is triggered if more than three unique hosts are querying for "wpad" or "isatap".
  • Severity: The threat level is considered medium.

  • Alert Details:

    • The alert will display the number of unique hosts involved and the specific query they made.
    • It will also list the hostnames of the querying clients and any DNS response codes received.
  • Relevance: This is associated with the MITRE ATT&CK technique T1557.001, which involves poisoning name resolution protocols to capture credentials.

Overall, this query helps identify potential security vulnerabilities related to WPAD that could lead to credential theft or unauthorized data collection.

Details

David Alonso profile picture

David Alonso

Released: March 26, 2026

Tables

ASimDnsActivityLogs

Keywords

DnsActivityLogsWpadIsatapSrcIpAddrHostnameResponseCodeNameDomainUniqueHostsCodes

Operators

ago()hassummarizecount()dcount()make_set()where

Severity

Medium

Tactics

CredentialAccessCollection

MITRE Techniques

Frequency: 1h

Period: 1h

Actions

GitHub