N-WPAD-INJECTIONCredential Access

WPAD Proxy Auto-Config Injection

Serve a wpad.dat that proxies every browser request through the attacker — credential capture + injection.

§ Where this technique fits

N-WPAD-INJECTION is catalogued under the Credential Access tactic of the offensive-security kill-chain. It appears in 1 approved dossier in the registry, typically at step 3 on average.

§ Dossiers chaining this technique

mitm6 IPv6 SLAAC → NTLM relay → DA
Even when IPv4 is hardened, Windows clients prefer IPv6 with default DHCPv6. mitm6 makes the attacker the IPv6 DNS server, advertises wpad, and relays the captured NTLM to LDAPS for RBCD.
step 3 / 7

§ What commonly comes next

01
LLMNR/NBT-NS Poisoning and SMB Relay
T1557.001 · Credential Access
seen 1×

§ Where this technique fits

§ Dossiers chaining this technique

mitm6 IPv6 SLAAC → NTLM relay → DA

§ What commonly comes next