Scribd
Upload
140 views1 page

WebProxy Event Analysis CheatSheet 1.0.1

This document provides a cheat sheet for analyzing web proxy events, listing attributes like category, user agent, source system, blocked file, scan result, user, time, bytes in/out, SSL/TLS, remote host, URL entropy, and method. It categorizes these attributes as less relevant, relevant, or highly relevant for detecting suspicious or malicious activity like hacking, botnets, and phishing. It references Sigma rules and links for further information.

Uploaded by

siouxinfo
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
140 views1 page

WebProxy Event Analysis CheatSheet 1.0.1

This document provides a cheat sheet for analyzing web proxy events, listing attributes like category, user agent, source system, blocked file, scan result, user, time, bytes in/out, SSL/TLS, remote host, URL entropy, and method. It categorizes these attributes as less relevant, relevant, or highly relevant for detecting suspicious or malicious activity like hacking, botnets, and phishing. It references Sigma rules and links for further information.

Uploaded by

siouxinfo
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 1

Web Proxy Event Analysis Cheat Sheet

Version 1.0.1
Florian Roth @cyb3rops and the community

Attribute Less Relevant Relevant Highly Relevant
Category All other categories Content Delivery Networks Uncategorized
Government/Legal Computer/Information Security
Internet Connected Devices Dynamic DNS Host
Phishing Hacking
Potentially Unwanted Software Malicious Outbound Data/Botnets
Remote Access Malicious Sources/Malnets
Suspicious “Newly Created Domains”
Web Hosting
Web Infrastructure
User Agent - Random Characters *PowerShell/*
Empty Microsoft-CryptoAPI/*
Very Short (<20 Chars, e.g. “Mozilla”) CertUtil*
Mozilla/4.0 Microsoft BITS*
Mozilla/3.0 * WinHttp* (Macro Downloader)
Mozilla/2.0 curl/*
Mozilla * (no slash after Mozilla) Googlebot*

See User Agent Sigma Rules1 with


“proxy_ua_” prefix
Source System CERT / CSIRT machines Workstation Domain Controller
Security Appliances Other Servers Print Server
DMZ Server
Jump Server
Admin Workstation
Blocked File Files > 10 MB Not Archived / Extracted Uncommon Archive (RAR, 7z, encrypted
Common Archive (ZIP) Archive)

File Extensions: .EXE .PNG .GIF .ASP


.ASPX .BAT .CHM .HTA .JSP .JSPX
.LNK .PHP .PS1 .SCF .TXT .VBS .WAR
.WSF .WSH .XML .ISO .RAR .7z .JAR
Scan Result - - Scan Errors: Unknown compression,
password protected, DLP etc.)
User - Regular Users Service Accounts
Domain Administrators
Local Administrators
Guest Account
Time - Regular Work Hours Outside Regular Work Hours
Bytes In / Out - Big requests (uploads)
SSL/TLS - Invalid Certificate Revoked Certificate
Newly Created Certificates
Remote Host - Hosting Service (e.g. *.amazonaws.com) IP address in URL
raw.* (e.g. raw.githubusercontent.com)
URL Entropy - High Entropy2
Method GET, HEAD POST CONNECT
POST (without GET from same source)
Target Port Unequal 443/tcp and 80/tcp


1
https://github.com/Neo23x0/sigma/tree/master/rules/proxy
2
https://www.splunk.com/en_us/blog/tips-and-tricks/when-entropy-meets-shannon.html

You might also like

pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy