Phishing, Data exfiltration and droppers!! Oh Bad! Business needs the right control in place to detect and block cyber-attacks. Web proxy is one of the essential parts of any organization and its operations to control web traffic threats and minimize the attack surface. Threat hunting should be part of your organization for proactive defense. Web proxy threat hunting procedures can be used to detect and hunt the anomaly from logs.
USE CASE: Proxy Logs
Objective: The mission of this hunt is to drill down Proxy logs to baseline common domains queried by endpoints in the environment as well as identify potentially infected endpoints by looking for possible Phishing, Malware beaconing, unknown user agents, and newly registered domains.
Duration: 7 Days
Proxy Logs Anomaly Hunting Checklist for Soc Analyst
- Check any continues block traffic is seen for specific categories ( Anonymizer, Phishing, etc ) , if so this is sign of internal host is infected.
- Check the urls which has direct ip address in place. For Example : https: 51.210.156[.]152 , these can try to evade DNS protocols to infect the machine.
- Hunt for HTTP methods such as POST & PUT , this can be used by attackers to exfiltrate data to external cloud storage.
- Hunt the urls that contains file formats ( ex: .pdf, .exe, .doc, etc, .png ,.gif , .asp, .aspx,.bat, ,.chm,.hta,.jsp,.jspx,.lnk,.php,.vbs,.war,.7z ,.jar ,.txt or any unknown file formats ) , these files may contains malware that can infect your host and pivot within systems.
- Check the latest threat intel IP’s, URL’s and hostnames with your environment. This can hunt for the indicators in the network.
- Review the uncategorized web traffic which is allowed in past 7 days , Its good to deny such unknown categories until and unless it has business exception.
- Hunt for list of user-agents that is used frequently and less frequently. Probably you have seen user-agents like Python or cURL sending requests to some external websites.
- Check the referrer URL which contains additional url’s that can be legitimate or malicious.
- Check the bytes IN & OUT length , these can be the indicator of data exchange to threat actors domains.
- Check the time interval for outbound malicious request which can be synchronous or asynchronous. Asynchronous intervals shows that beaconing signal of malware.
- Track the category ( newly registered domains with high priority ) , threat intel verdict on such newly registered domains will take little time. Best practice is to block such domains when it not aligned with BAU.
- Review and hunt for unknown or suspicious user agents , Baseline the most common user agents and update the versions of older browser versions in place.