Scribd
Upload
78 views

WebProxy Event Analysis CheatSheet 1.0.1

This document provides a cheat sheet for analyzing web proxy events, listing attributes like category, user agent, source system, blocked file, scan result, user, time, bytes in/out, SSL/TLS, remote host, URL entropy, and method. It categorizes these attributes as less relevant, relevant, or highly relevant for detecting suspicious or malicious activity like hacking, botnets, and phishing. It references Sigma rules and links for further information.

Uploaded by

siouxinfo
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
78 views

WebProxy Event Analysis CheatSheet 1.0.1

This document provides a cheat sheet for analyzing web proxy events, listing attributes like category, user agent, source system, blocked file, scan result, user, time, bytes in/out, SSL/TLS, remote host, URL entropy, and method. It categorizes these attributes as less relevant, relevant, or highly relevant for detecting suspicious or malicious activity like hacking, botnets, and phishing. It references Sigma rules and links for further information.

Uploaded by

siouxinfo
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 1

Web Proxy Event Analysis Cheat Sheet

Version 1.0.1
Florian Roth @cyb3rops and the community

Attribute Less Relevant Relevant Highly Relevant
Category All other categories Content Delivery Networks Uncategorized
Government/Legal Computer/Information Security
Internet Connected Devices Dynamic DNS Host
Phishing Hacking
Potentially Unwanted Software Malicious Outbound Data/Botnets
Remote Access Malicious Sources/Malnets
Suspicious “Newly Created Domains”
Web Hosting
Web Infrastructure
User Agent - Random Characters *PowerShell/*
Empty Microsoft-CryptoAPI/*
Very Short (<20 Chars, e.g. “Mozilla”) CertUtil*
Mozilla/4.0 Microsoft BITS*
Mozilla/3.0 * WinHttp* (Macro Downloader)
Mozilla/2.0 curl/*
Mozilla * (no slash after Mozilla) Googlebot*

See User Agent Sigma Rules1 with


“proxy_ua_” prefix
Source System CERT / CSIRT machines Workstation Domain Controller
Security Appliances Other Servers Print Server
DMZ Server
Jump Server
Admin Workstation
Blocked File Files > 10 MB Not Archived / Extracted Uncommon Archive (RAR, 7z, encrypted
Common Archive (ZIP) Archive)

File Extensions: .EXE .PNG .GIF .ASP


.ASPX .BAT .CHM .HTA .JSP .JSPX
.LNK .PHP .PS1 .SCF .TXT .VBS .WAR
.WSF .WSH .XML .ISO .RAR .7z .JAR
Scan Result - - Scan Errors: Unknown compression,
password protected, DLP etc.)
User - Regular Users Service Accounts
Domain Administrators
Local Administrators
Guest Account
Time - Regular Work Hours Outside Regular Work Hours
Bytes In / Out - Big requests (uploads)
SSL/TLS - Invalid Certificate Revoked Certificate
Newly Created Certificates
Remote Host - Hosting Service (e.g. *.amazonaws.com) IP address in URL
raw.* (e.g. raw.githubusercontent.com)
URL Entropy - High Entropy2
Method GET, HEAD POST CONNECT
POST (without GET from same source)
Target Port Unequal 443/tcp and 80/tcp


1
https://github.com/Neo23x0/sigma/tree/master/rules/proxy
2
https://www.splunk.com/en_us/blog/tips-and-tricks/when-entropy-meets-shannon.html

You might also like