/* preference would be to use user.sid rather than domain+name, once it is available in ECS + datasources */
/* didn't trigger successfully during testing */
sequence with maxspan=5s
[process where host.os.type == "windows" and event.type == "start" and process.name : "svchost.exe" and
user.domain : "NT AUTHORITY" and user.name : "LOCAL SERVICE"] by process.entity_id
[network where host.os.type == "windows" and network.protocol : "dns" and process.name : "svchost.exe" and
dns.question.name : "wpad" and process.name : "svchost.exe"] by process.entity_id
[network where host.os.type == "windows" and process.name : "svchost.exe"
and network.direction : ("outgoing", "egress") and destination.port == 80] by process.entity_id
[library where host.os.type == "windows" and event.type : "start" and process.name : "svchost.exe" and
dll.name : "jscript.dll" and process.name : "svchost.exe"] by process.entity_id
[process where host.os.type == "windows" and event.type == "start" and
process.parent.name : "svchost.exe"] by process.parent.entity_id
Install detection rules in Elastic Security
Detect WPAD Service Exploit in the Elastic Security detection engine by installing this rule into your Elastic Stack.
To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(opens in a new tab or window).