topic Example Signature for WPAD.DAT Exploitation (TA16-144A) in Custom Signatures https://live.paloaltonetworks.com/t5/custom-signatures/example-signature-for-wpad-dat-exploitation-ta16-144a/m-p/78973#M96 <P>One attack avenue for an organization that the US-CERT is currently alerting on is the abuse of Web Proxy Auto-Discovery in order to hijack traffic by directing a web browser to a proxy they own.</P> <P>&nbsp;</P> <P>The technical details are available at: <A href="https://www.us-cert.gov/ncas/alerts/TA16-144A" target="_self">https://www.us-cert.gov/ncas/alerts/TA16-144A</A></P> <P>&nbsp;</P> <P>There are three avenues of detection I am aware of:</P> <P>&nbsp;</P> <P>1) Detecting a DNS query with "wpad." in the content. This does not appear possible with the current custom signature engine, as there is not a 7 byte static anchor to signature off of.</P> <P>&nbsp;</P> <P>2) Detecting an HTTP transaction in which the content of the "Host" header starts with "wpad."</P> <P>&nbsp;</P> <P>3) Detecting an HTTP transaction in which the URI contains "wpad.dat"</P> <P>&nbsp;</P> <P>I've written a custom signature that covers points 2 and 3 to illustrate what is possible.</P> <P>&nbsp;</P> <P>This signature was written as an example to illustrate what the custom signature engine can do. It has minimal testing in a production environment, and is meant as a pivot point for creating your own custom protections.</P> <P>&nbsp;</P> <P>It's also imperative to remember that this signature will be very noisy if it is applied to internal environments, and makes the most sense only applied to traffic destined for the untrust zone.</P> <P>&nbsp;</P> <P>Have fun, signature enthusiasts!</P> Wed, 01 Jun 2016 20:29:14 GMT rcole 2016-06-01T20:29:14Z Example Signature for WPAD.DAT Exploitation (TA16-144A) https://live.paloaltonetworks.com/t5/custom-signatures/example-signature-for-wpad-dat-exploitation-ta16-144a/m-p/78973#M96 <P>One attack avenue for an organization that the US-CERT is currently alerting on is the abuse of Web Proxy Auto-Discovery in order to hijack traffic by directing a web browser to a proxy they own.</P> <P>&nbsp;</P> <P>The technical details are available at: <A href="https://www.us-cert.gov/ncas/alerts/TA16-144A" target="_self">https://www.us-cert.gov/ncas/alerts/TA16-144A</A></P> <P>&nbsp;</P> <P>There are three avenues of detection I am aware of:</P> <P>&nbsp;</P> <P>1) Detecting a DNS query with "wpad." in the content. This does not appear possible with the current custom signature engine, as there is not a 7 byte static anchor to signature off of.</P> <P>&nbsp;</P> <P>2) Detecting an HTTP transaction in which the content of the "Host" header starts with "wpad."</P> <P>&nbsp;</P> <P>3) Detecting an HTTP transaction in which the URI contains "wpad.dat"</P> <P>&nbsp;</P> <P>I've written a custom signature that covers points 2 and 3 to illustrate what is possible.</P> <P>&nbsp;</P> <P>This signature was written as an example to illustrate what the custom signature engine can do. It has minimal testing in a production environment, and is meant as a pivot point for creating your own custom protections.</P> <P>&nbsp;</P> <P>It's also imperative to remember that this signature will be very noisy if it is applied to internal environments, and makes the most sense only applied to traffic destined for the untrust zone.</P> <P>&nbsp;</P> <P>Have fun, signature enthusiasts!</P> Wed, 01 Jun 2016 20:29:14 GMT https://live.paloaltonetworks.com/t5/custom-signatures/example-signature-for-wpad-dat-exploitation-ta16-144a/m-p/78973#M96 rcole 2016-06-01T20:29:14Z