🐾 - 🚨 WPAD via MDNS protocol 🤕 observed - Multicast query from Windows 🪟 observed

SID: 3300151Rev: 30 views
History
Sourcepawpatrules
CreatedApril 4, 2023
UpdatedJanuary 5, 2025
Classificationpolicy-violation
alert udp any 5353 -> 224.0.0.251 5353 (msg:"🐾 - 🚨 WPAD via MDNS protocol 🤕 observed - Multicast query from Windows 🪟 observed"; flow:to_server, stateless; threshold:type limit, track by_src,count 1, seconds 43200; content:"|00 00 00 00 00 01 00 00 00 00 00 00|"; fast_pattern; content:"|77 70 61 64 05 6c 6f 63 61 6c|"; reference:url,https://trelis24.github.io/2018/08/03/Windows-WPAD-Poisoning-Responder/; reference:url,https://www.sentinelone.com/blog/in-the-wild-wpad-attack-how-threat-actors-abused-flawed-protocol-for-years/; reference:url,https://www.blumira.com/integration/disable-llmnr-netbios-wpad-lm-hash/; metadata:created_at 2023_04_04, updated_at 2025_01_05; sid:3300151; rev:3; classtype:policy-violation;)

References

urlhttps://trelis24.github.io/2018/08/03/Windows-WPAD-Poisoning-Responder/
urlhttps://www.sentinelone.com/blog/in-the-wild-wpad-attack-how-threat-actors-abused-flawed-protocol-for-years/
urlhttps://www.blumira.com/integration/disable-llmnr-netbios-wpad-lm-hash/

Metadata

created at2023_04_04
updated at2025_01_05

Comments (0)

Please sign in to leave a comment.
Sign in

No comments yet. Be the first to comment!