From 13c0a17e00babd0bd1473fdf7ca0668108cce8d5 Mon Sep 17 00:00:00 2001
From: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
Date: Mon, 3 Jun 2024 19:38:40 -0300
Subject: [PATCH] [New Rule] Potential WPAD Spoofing via DNS Record Creation

---
 .../credential_access_adidns_wpad_record.toml | 77 +++++++++++++++++++
 1 file changed, 77 insertions(+)
 create mode 100644 rules/windows/credential_access_adidns_wpad_record.toml

diff --git a/rules/windows/credential_access_adidns_wpad_record.toml b/rules/windows/credential_access_adidns_wpad_record.toml
new file mode 100644
index 00000000000..ab0782ec66c
--- /dev/null
+++ b/rules/windows/credential_access_adidns_wpad_record.toml
@@ -0,0 +1,77 @@
+[metadata]
+creation_date = "2024/06/03"
+integration = ["system", "windows"]
+maturity = "production"
+updated_date = "2024/06/03"
+
+[rule]
+author = ["Elastic"]
+description = """
+Identifies the creation of a DNS record that is potentially meant to enable WPAD spoofing. Attackers can disable the
+Global Query Block List (GQBL) and create a "wpad" record to exploit hosts running WPAD with default settings for
+privilege escalation and lateral movement.
+"""
+from = "now-9m"
+index = ["winlogbeat-*", "logs-system.*", "logs-windows.*"]
+language = "eql"
+license = "Elastic License v2"
+name = "Potential WPAD Spoofing via DNS Record Creation"
+references = [
+    "https://www.thehacker.recipes/ad/movement/mitm-and-coerced-authentications/wpad-spoofing#through-adidns-spoofing",
+    "https://cube0x0.github.io/Pocing-Beyond-DA/",
+]
+risk_score = 47
+rule_id = "894326d2-56c0-4342-b553-4abfaf421b5b"
+setup = """## Setup
+
+The 'Audit Directory Service Changes' logging policy must be configured for (Success, Failure).
+Steps to implement the logging policy with Advanced Audit Configuration:
+
+```
+Computer Configuration >
+Policies >
+Windows Settings >
+Security Settings >
+Advanced Audit Policies Configuration >
+Audit Policies >
+DS Access >
+Audit Directory Service Changes (Success,Failure)
+```
+
+The above policy does not cover the target object by default (we still need it to be configured to generate events), so we need to set up an AuditRule using https://github.com/OTRF/Set-AuditRule.
+
+```
+Set-AuditRule -AdObjectPath 'AD:\\CN=MicrosoftDNS,DC=DomainDNSZones,DC=Domain,DC=com' -WellKnownSidType WorldSid -Rights CreateChild -InheritanceFlags Descendents -AttributeGUID e0fa1e8c-9b45-11d0-afdd-00c04fd930c9 -AuditFlags Success
+```
+"""
+severity = "medium"
+tags = [
+    "Domain: Endpoint",
+    "OS: Windows",
+    "Use Case: Threat Detection",
+    "Tactic: Credential Access",
+    "Data Source: Active Directory",
+    "Use Case: Active Directory Monitoring",
+]
+timestamp_override = "event.ingested"
+type = "eql"
+
+query = '''
+any where host.os.type == "windows" and event.action == "Directory Service Changes" and
+    event.code == "5137" and winlog.event_data.ObjectDN : "DC=wpad,*"
+'''
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1557"
+name = "Adversary-in-the-Middle"
+reference = "https://attack.mitre.org/techniques/T1557/"
+
+
+[rule.threat.tactic]
+id = "TA0006"
+name = "Credential Access"
+reference = "https://attack.mitre.org/tactics/TA0006/"
+