Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[New Rule] Potential WPAD Spoofing via DNS Record Creation #3748

Merged
merged 3 commits into from
Jun 20, 2024
Merged

[New Rule] Potential WPAD Spoofing via DNS Record Creation #3748

merged 3 commits into from
Jun 20, 2024

Conversation

w0rk3r
Copy link
Contributor

@w0rk3r w0rk3r commented Jun 3, 2024

Issues

Related to #3544 & #3005

Summary

Identifies the creation of a DNS record that is potentially meant to enable WPAD spoofing. Attackers can disable the Global Query Block List (GQBL) and create a "wpad" record to exploit hosts running WPAD with default settings for privilege escalation and lateral movement.

@w0rk3r w0rk3r added Rule: New Proposal for new rule OS: Windows windows related rules Domain: Endpoint backport: auto labels Jun 3, 2024
@w0rk3r w0rk3r self-assigned this Jun 3, 2024
terrancedejesus
terrancedejesus approved these changes Jun 4, 2024
View reviewed changes
Copy link
Contributor

@terrancedejesus terrancedejesus left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice rule!

@w0rk3r w0rk3r mentioned this pull request Jun 5, 2024
Closed
@w0rk3r w0rk3r merged commit 3fd9bae into main Jun 20, 2024
9 checks passed
@w0rk3r w0rk3r deleted the wpad_record branch June 20, 2024 12:34
protectionsmachine pushed a commit that referenced this pull request Jun 20, 2024
@w0rk3r @github-actions
[New Rule] Potential WPAD Spoofing via DNS Record Creation (#3748)
ec53300 
(cherry picked from commit 3fd9bae)
protectionsmachine pushed a commit that referenced this pull request Jun 20, 2024
@w0rk3r @github-actions
[New Rule] Potential WPAD Spoofing via DNS Record Creation (#3748)
63cf04c 
(cherry picked from commit 3fd9bae)
protectionsmachine pushed a commit that referenced this pull request Jun 20, 2024
@w0rk3r @github-actions
[New Rule] Potential WPAD Spoofing via DNS Record Creation (#3748)
b8c63b0 
(cherry picked from commit 3fd9bae)
protectionsmachine pushed a commit that referenced this pull request Jun 20, 2024
@w0rk3r @github-actions
[New Rule] Potential WPAD Spoofing via DNS Record Creation (#3748)
a245e41 
(cherry picked from commit 3fd9bae)
protectionsmachine pushed a commit that referenced this pull request Jun 20, 2024
@w0rk3r @github-actions
[New Rule] Potential WPAD Spoofing via DNS Record Creation (#3748)
a09957c 
(cherry picked from commit 3fd9bae)
protectionsmachine pushed a commit that referenced this pull request Jun 20, 2024
@w0rk3r @github-actions
[New Rule] Potential WPAD Spoofing via DNS Record Creation (#3748)
9e5f159 
(cherry picked from commit 3fd9bae)
@w0rk3r w0rk3r mentioned this pull request Jul 12, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Samirbous Samirbous Samirbous approved these changes

@Aegrah Aegrah Aegrah approved these changes

@terrancedejesus terrancedejesus terrancedejesus approved these changes

@brokensound77 brokensound77 Awaiting requested review from brokensound77

@DefSecSentinel DefSecSentinel Awaiting requested review from DefSecSentinel

Assignees

@w0rk3r w0rk3r

Labels
backport: auto Domain: Endpoint OS: Windows windows related rules Rule: New Proposal for new rule
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@w0rk3r @Samirbous @Aegrah @terrancedejesus