By default, Windows machines perform automatic proxy discovery. This makes some man-in-the-middle attacks easier, see for example: https://dirkjanm.io/worst-of-both-worlds-ntlm-relaying-and-kerberos-delegation/

The reason is because they download the settings from wpad.corp.local and other hosts without any sort of verification.

Sure, there are many other ways to get a MitM position, and if every service was properly hardened (i.e. validate certs, enforce SMB signing, etc), it wouldn't matter much. But many Windows protocols by default are vulnerable. So if I wanted to harden a Windows default installation and didn't really, really need automatic proxy discovery, I'd want to disable it.

I'd like Invoke-PrivescCheck to report default WPAD settings, either as VULN LOW or INFO. What do you think? Should I submit a PR?

The original purpose of PrivescCheck was to find weaknesses that could lead to local privilege escalation. Over the time, I extended it a bit to report some configuration issues that could be leveraged for post-exploitation as well (such as dumping LSASS).

However, I don't want to transform it into an auditing tool. One could argue that you could use any poisoning attack (such as with WPAD) to coerce the machine account to authenticate to your machine and then relay it to LDAP for local privilege escalation, but that's a bit far-fetched as the actual vulnerability exploited in this scenario would be the lack of LDAP signing enforcement.

So, to answer your question. I don't think that adding such configuration check to PrivescCheck would make sense. FOr your information, when I assess the hardening level of a Windows machine, I use a script specifically made for that purpose (see https://github.com/scipag/HardeningKitty for instance).

That makes sense. I can live with simply using HardeningKitty. I'll give it a shot, thanks for the hint!