Uncommon WPAD queries

Cortex XDR Analytics Alert Reference by data source
Product
Cortex XDR
Last date published
2025-03-09
Category
Analytics Alert Reference
Index by
data source

Synopsis

Activation Period

14 Days

Training Period

30 Days

Test Period

1 Hour

Deduplication Period

1 Day

Required Data

  • Requires one of the following data sources:
    • Palo Alto Networks Platform Logs
      OR
    • XDR Agent

Detection Modules

Detector Tags

ATT&CK Tactic

Credential Access (TA0006)

ATT&CK Technique

Adversary-in-the-Middle (T1557)

Severity

Informational

Description

There were multiple attempts to access WPAD resources by a single host in your network. This may indicate a malicious activity.

Attacker's Goals

  • Attackers may attempt to move laterally over the network by exploiting problems in WPAD.

Investigative actions

  • Verify that the source host is legitimate.
  • Examine the legitimacy of the application that produced this uncommon WPAD.
  • Examine the parent process of this application.

Variations

Uncommon WPAD queries to a external domain

Synopsis

ATT&CK Tactic

Credential Access (TA0006)

ATT&CK Technique

Adversary-in-the-Middle (T1557)

Severity

Informational

Description

There were multiple attempts to access WPAD resources by a single host in your network. This may indicate a malicious activity.

Attacker's Goals

  • Attackers may attempt to move laterally over the network by exploiting problems in WPAD.

Investigative actions

  • Verify that the source host is legitimate.
  • Examine the legitimacy of the application that produced this uncommon WPAD.
  • Examine the parent process of this application.


Suspicious WPAD queries

Synopsis

ATT&CK Tactic

Credential Access (TA0006)

ATT&CK Technique

Adversary-in-the-Middle (T1557)

Severity

Low

Description

There were multiple attempts to access WPAD resources by a single host in your network. This may indicate a malicious activity.

Attacker's Goals

  • Attackers may attempt to move laterally over the network by exploiting problems in WPAD.

Investigative actions

  • Verify that the source host is legitimate.
  • Examine the legitimacy of the application that produced this uncommon WPAD.
  • Examine the parent process of this application.


Uncommon WPAD queries using an uncommon port

Synopsis

ATT&CK Tactic

Credential Access (TA0006)

ATT&CK Technique

Adversary-in-the-Middle (T1557)

Severity

Informational

Description

There were multiple attempts to access WPAD resources by a single host in your network. This may indicate a malicious activity.

Attacker's Goals

  • Attackers may attempt to move laterally over the network by exploiting problems in WPAD.

Investigative actions

  • Verify that the source host is legitimate.
  • Examine the legitimacy of the application that produced this uncommon WPAD.
  • Examine the parent process of this application.