#proxy #use cases #threat hunting #network forensics

1. Logs Review and Detection
PROXY
Mostafa Yahia

2. HUNTing
Through
Proxy
Logs

3. “If you are Infected The proxy have Know
Everything About the communication
between your org and the Attacker”
“

4.  Why Proxy ?
 What the valuable PROXY logs ?
 Target hostname
 Use Cases For Target hostname
 User agent
 Use Cases For User agent
 HTTP request method
 Content type
 Use Cases For Methods and Content Type
 URL categorization
 Use Cases For URL categorization
 HTTP referrer
 Use Cases For referrer
AGENDA

5. Why Proxy ?
 If The Firewall the First Line of defense from the External Threat,
the Proxy is the first line Of Detection For internal threat
(C2,Data Exfiltration, etc.. )
 The proxy is Act as a person that Hold a message from some one
to Another, that’s make him know every thing about this message
Yes, that’s Right If you are Infected The proxy have Know Everything
About the communication between your org and the Attacker.

6. What are the valuable PROXY logs ?
 Target hostname (DNS)
 HTTP request method
 Content type
 User agent
 HTTP Referrer
 Target host IP
 URL Categories

7. Target hostname
• The Target Hostname show the Requested Domain That help to
detect the most requested Domain by one IP and that maybe an
indicator To Command and Control Server or automated
communication.

8. Use Cases
DashBoard:
 Log source equal (proxy) ,Target domain Not equal (N/A), grouping by
source IP and Domain, sorting by event count last 30 Min.

9. User agent
 you need to Look out for user agents that indicate the use of a
scripting language (Python for example) or user agents that
don’t make sense.
 If you control your environment then you can develop a
Reference set of “known” and “accepted” user agents.
Everything that’s out of the ordinary should then trigger an
alarm.
>> You can use User Agent String.com as a reference.
(http://www.useragentstring.com/pages/useragentstring.php)

10. Use Cases
DashBoard:
 Log source equal (proxy) ,User agent does Not exist in any of (RF(trusted
user agent)) and grouping by User Agent, sorting by event count last 1
hour.
Rule:
 When the event detected by (proxy)
and user agent are contained in (RF (scripting user agent))

11. HTTP request method
• One of the valuable logs of Proxy is HTTP methods (for example GET,
POST) and graph / alert on (an increase of) unusual methods (for example
CONNECT, PUT).
 The next slide Will Describe Every HTTP methods.

12. Method Description
GET The GET method is used to retrieve information from the given server using a given URI. Requests
using GET should only retrieve data and should have no other effect on the data.
HEAD Same as GET, but transfers the status line and header section only.
POST A POST request is used to send data to the server, for example, customer information, file upload, etc.
using HTML forms.
PUT Replaces all current representations of the target resource with the uploaded content.
DELETE Removes all current representations of the target resource given by a URI.
CONNECT Establishes a tunnel to the server identified by a given URI.
OPTIONS Describes the communication options for the target resource.
TRACE Performs a message loop-back test along the path to the target resource.
Mostafa Yahia 12

13. Content-Type
13
• The Content-Type entity-header field indicates the media type of the entity-body sent
to the recipient or, in the case of the HEAD method, the media type that would have
been sent, had the request been a GET. The general syntax is:
o Content-Type : media-type
You Can Find all possible HTTP header content type at the below link
https://stackoverflow.com/questions/23714383/what-are-all-the-possible-values-
for-http-content-type-header
Mostafa Yahia

14. HTTP/1.1 200 OK
Date: Mon, 27 Jul 2009 12:28:53 GMT
Server: Apache/2.2.14 (Win32)
Last-Modified: Wed, 22 Jul 2009 19:15:56 GMT
ETag: "34aa387-d-1568eb00"
Vary: Authorization,Accept
Accept-Ranges: bytes
Content-Length: 88
Content-Type: text/html
Connection: Closed

15. what I should look to ?!
 Log the HTTP request method (for example GET, POST) and graph / alert on (an increase of) unusual
methods (for example CONNECT, PUT)
 Focus on POSTs with content types different than text/html. Especially POSTS with application/octet-
stream or any of the MS Office document file types should raise suspicion. Repeated requests can
indicate that something or someone is uploading a lot of (corporate?) documents.

16. Use Cases
DashBoard:
Log source equal (proxy),http_method equal Post, content-type NOT equal text/html
grouping by content type and URL last 1 hour.
Log source = (proxy),http_method =CONNECT, Grouping by URL last 30 min.
Rule:
When the event detected by (proxy)
and http_method = Post and content-type are contained in (RF (suspicious content))
 When the event detected by (proxy)
and http_method = PUT

17. URL categorization
• By crawling and categorizing sites on the internet, proxies can be configured to deny access to website
meeting certain criteria. For example, many workplaces choose to block sites classified as pornography,
and public schools often block gaming sites. Sites that have been associated with malware are often
categorized accordingly and blocked by default with most proxies. That means that most of the URLs you
encounter will already be categorized. But, what does it mean when you encounter a URL that isn’t
categorized? And why I need to monitor the suspicious URL category if it already Blocked !

18. URL don’t have category, so what is the problem !
• the URL could be relatively new. It might also mean that it isn’t being indexed by search engines, or that
it serves a very specific purpose and has gone undiscovered as a result. Of course, that purpose could be
to direct you to a system hosting malware, The important takeaway is that domains registered by
malicious actors and used for things like phishing attempts and malware C2 often spend a bit more time
as an uncategorized sites as far as your proxy concerned. That means we can hunt for them!

19. Use Cases for Uncategorized Domains
Rule:
When the event detected by (proxy)
and the URL category = Uncategorized
Note: there is no standard naming convention for what proxy vendors call uncategorized URLs. For example, some vendors will refer to
these as “Unknown” whereas others refer to them as “Uncategorized”

20. Why I need to monitor the Some of URL categories
• Your organization Allowed the Shopping URL Category, that’s Fine but also many of Phishing URLs are
categorized as Shopping !!!
• In addition if the attacker feel that their malicious URL has been blocked Because of the bad reputation
URL category He can easily change it by your organization Proxy vendor URL review Site !
e.g to Review any URL category at Bluecoat proxy
https://sitereview.bluecoat.com/#/

21. Use Cases
DashBoard:
 Log source equal (proxy) , URL Category = (all suspicious categories)
Grouping by URL , Last 30 Min

22. HTTPReferrer
• How are the people visiting in websites finding it? Where is that traffic coming from? The answer to this
is found by looking at data on HTTP referrers.
• An HTTP referrer, often simply referred to as the referrer, is any source online that drives visits and
visitors to websites. These may include:
o Search engines
o Links from other websites
o Social media
o Online ads
o Affiliate links
o Links built into software

23. When it will/may be empty ?
• entered the site URL in browser address bar itself.
• visited the site by a browser-maintained bookmark.
• visited the site as first page in the window/tab.
• clicked a link in an external application.
• switched from a https URL to a http URL.
• switched from a https URL to a different https URL.
• have security software installed (antivirus/firewall/etc) which strips the referrer from all requests.
• is behind a proxy which strips the referrer from all requests.
• have (software/O.S/etc) updates.
• visited the site programmatically, off course may be a malware .

24. Use Cases
DashBoard:
 Log source equal (proxy) , http_Referrer = (null), Grouping by URL last 30
min.
• If you control your environment then you can develop a Reference set of (Updates,
trusted Domain/etc..) and. Everything that’s out of the ordinary should then showed
at the Below dashboard use case.
 If you don’t, It may will be helpful for investigations

25. Connections To Naked IPs
Naked IP is mean the communication to external IPs as an TARGET URL instead of domains, that’s maybe not entered
by the End user and it an automated connection.

26. Use Cases
DashBoard:
 Log source equal (proxy) , Direction = L2R, Domain Not contain (A to Z)
Grouping by Destination IP , Last 12 Hours

27. Any questions?
Thanks!