'; } else{ echo ''; } echo 'Hillstone Networks'; } elseif ($_SERVER[HTTP_HOST] == "update1.huaantech.com.cn") { echo ''; echo 'huaantech'; } elseif ($_SERVER[HTTP_HOST] == "update1.dcnetworks.com.cn") { echo ''; echo 'dcnetworks'; } elseif ($_SERVER[HTTP_HOST] == "update1.w-ibeda.com") { if (false===strpos($_SERVER[REQUEST_URI],"/en/")) echo ''; else echo ''; echo 'w-ibeda'; } elseif ($_SERVER[HTTP_HOST] == "update1.hp-telecom.com") { echo ''; echo 'hp-telecom'; } elseif ($_SERVER[HTTP_HOST] == "update1.maipu.com") { echo ''; echo 'Maipu'; } elseif ($_SERVER[HTTP_HOST] == "update1.ncurity.com") { echo ''; echo 'Ncurity'; } elseif ($_SERVER[HTTP_HOST] == "update1.socusnetwork.com") { echo ''; echo 'Socusnetwork'; } else{ echo ''; echo 'Hillstone Networks'; } ?>
 
   
 

RULE(RULE ID:339630)

Rule General Information
Release Date: 2025-11-18
Rule Name: NTLM Hash Exfiltration Detection - WPAD Server Spoofing
Severity:
CVE ID:
Rule Protection Details
Description: WPAD (Web Proxy Auto-Discovery) is a mechanism designed to automatically discover web proxy configurations. Clients use WPAD to locate and download a proxy configuration script, which determines which requests should be routed through a proxy and which should connect directly.If an attacker is able to control DNS, DHCP, or WPAD responses within the local network, they can return a malicious PAC file that instructs clients to use an attacker-controlled proxy. During communication with this proxy, clients may initiate NTLM or Negotiate authentication, leading to credential exposure or enabling NTLM relay attacks.This rule detects suspicious activity indicative of a forged WPAD server attempting to capture NTLM credentials. When this rule is triggered, please verify the legitimacy of the host referenced in the file:// path within the WPAD response.
Impact: An attacker can masquerade his identity and deceive users to gain an illegitimate advantage.
Affected OS: Windows, Linux, Others
Reference:
Solutions
Please contact the software vendor to update the software patch.