Scribd
Upload
72 views

Web Proxy Hunting and Detection Cheat Sheet

This document provides a cheat sheet of techniques for hunting and detecting web proxies, including calculating metrics like duration of connections, HTTP status codes, bytes in and out, HTTP methods, URL hostnames, paths, queries, content types, user agents, categories, protocols, and file name entropy to identify anomalies that could indicate command and control or data exfiltration activities. The key things to look for are higher than normal values or uncommon occurrences that would be signs of automated beaconing or encoded malicious payloads.

Uploaded by

mahdi aghaei
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
72 views

Web Proxy Hunting and Detection Cheat Sheet

This document provides a cheat sheet of techniques for hunting and detecting web proxies, including calculating metrics like duration of connections, HTTP status codes, bytes in and out, HTTP methods, URL hostnames, paths, queries, content types, user agents, categories, protocols, and file name entropy to identify anomalies that could indicate command and control or data exfiltration activities. The key things to look for are higher than normal values or uncommon occurrences that would be signs of automated beaconing or encoded malicious payloads.

Uploaded by

mahdi aghaei
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 1

Web Proxy Hunting and Detection Cheat Sheet

Version 1.0
Mehmet Ergene @Cyb3rMonk

Attribute Technique What to look for


Calculate the sum per SourceIP-
Duration Higher values may indicate beaconing
DestinationIP pair over 12/24 hours
Calculate the total count of the HTTP Status
Higher values of an uncommon HTTP Status Code
Codes per SourceIP or per SourceIP-
may indicate C2 activity.
HTTP Status DestinationIP over a specific time period.
C2 servers may rotate their dns records, malware
List URLs having only HTTP Error codes
tries every domain and causes http errors.
Higher values may indicate beaconing. C2 servers
Calculate the count of BytesIn per Source-
reply with the same data, making Bytes In value the
Destination pair over 12/24 hours
Bytes In same
Calculate the ratio of count(BytesIn) per
Higher values of ratio may indicate beaconing
Source-Destination pair
Calculate the sum of BytesOut per Source-
Higher values may indicate data exfiltration
Destination pair over 12/24 hours
Bytes Out
Calculate the ratio of count(BytesOut) per
Higher values of ratio may indicate beaconing
Source-Destination pair over 12/24 hours
Calculate the ratio of POST or PUT over GET
Higher values may indicate beaconing or
HTTP Method per Source-Destination over 4/8/12/24
exfiltration
hours
Compare with top 1M domains and calculate Hit count <5 and Hostname is not in top 1M may
hit count indicate malicious payload delivery
URL Hostname
Less hit count may indicate malicious payload
Calculate hit count per Hostname
delivery
Calculate count per Source-Destination-
URL Path Higher values may indicate beaconing
URLPath pair
Calculate count per Source-Destination-
Higher values may indicate beaconing
URLQuery

URL Query Higher values may indicate encoded data, a sign of


Calculate length of URLQuery
exfiltration or beaconing
Look for base64 encoded strings in Encoded strings may indicate beaconing or
URLQuery exfiltration
List Content Type per Source-Destination Uncommon Content types may indicate malicious
Content Type
pair file
Calculate count within the environment(long
User Agent Lower values may indicate a malicious binary
tail analysis)

Small dcount values may indicate


Query for Uncategorized, Dynamic DNS, and
abnormal/suspicious/malicious activity. If an
URL Category other suspicious categories. Calculate
uncategorized URL is visited by many users, it is
dcount of SourceAddress by URLHostname
less likely that the URL is malicious.

HTTP Version Check HTTP versions 1.0 is older, might be suspicious


Common Protocol-Uncommon Port or Common
Protocol Compare ports with protocols Port-Uncommon Protocol may indicate malicious
traffic
File Name Entropy analysis on filenames. May indicate malicious payload delivery

You might also like