This detection rule identifies the unauthorized creation of a DNS record that could facilitate WPAD (Web Proxy Auto-Discovery) spoofing. In WPAD spoofing attacks, adversaries exploit the auto-discovery process of proxy settings by creating malicious DNS entries, specifically targeting 'wpad' records in Active Directory. Attackers can disable protective measures like the Global Query Block List (GQBL) and create these records to perform privilege escalation and lateral movement within a network, posing significant security risks. The rule uses EQL (Event Query Language) to filter Windows events indicative of DNS modifications related to the 'wpad' entry. When an event with the code 5137 is recorded in the Windows logs, this rule triggers an alert, suggesting a potential WPAD spoofing attempt. Setup requires enabling auditing of Directory Service changes in Group Policy to capture relevant events accurately. The rule also includes guidance on monitoring and response strategies to mitigate the impact of such activities.