Rule History

alert udp any 5353 -> 224.0.0.251 5353 (msg:"🐾 - 🚨 WPAD via MDNS protocol 🤕 observed - Multicast query from Windows 🪟 observed"; flow:to_server, stateless; threshold: type limit, track by_src,count 1, seconds 43200; content:"|00 00 00 00 00 01 00 00 00 00 00 00|"; fast_pattern; content:"|77 70 61 64 05 6c 6f 63 61 6c|"; reference:url,https://trelis24.github.io/2018/08/03/Windows-WPAD-Poisoning-Responder/; reference:url,https://www.sentinelone.com/blog/in-the-wild-wpad-attack-how-threat-actors-abused-flawed-protocol-for-years/; reference:url,https://www.blumira.com/integration/disable-llmnr-netbios-wpad-lm-hash/; metadata:created_at 2023_04_04, updated_at 2025_01_05; sid:3300151; rev:3; classtype:policy-violation;)