Document toolboxDocument toolbox

Proxy detections

Owned by Juan Tomás Alonso Nieto (Deactivated)
May 08, 2023
2 min read

A proxy server is a system or router that provides gateway between users and the internet. As a result, to helps organizations prevent cyber attacks from entire a private network as the server is an intermediary, isolating the internal network from the internet and attackers. Proxies provide a valuable layer of security in general and an important data source to analyze web traffic going to and from your organization. Monitoring the proxy data can help pinpoint attacks, show malicious behavior, and give more context to what entities are doing within your organization. The below list of out-of-the-box detections provide commonly seen use cases for potentially malicious activity through proxy logs.

Identifies file uploads above 50 MB in size. Excessive file uploads may indicate exfiltration by an adversary or insider. The size threshold should be tuned per organization.

Keep in mind that adversaries may compress uploads for speedy transfers and to avoid detection, so setting the file size threshold too large may miss such occurrences.

Source table ➝ proxy.all.access

Detects the download of a file with a single character filename. Single character based file names are rare for most legitimate content and are often used by actors to upload malicious content. Users can uncomment the regex match line and modify it as necessary to target specific file types.

Source table ➝ proxy.all.access

Identifies file uploads above 50 MB in size. Excessive file uploads may indicate exfiltration by an adversary or insider. The size threshold should be tuned per organization.

Source table ➝ proxy.all.access

During the normal navigation of a user or system, the URLs do not include the destination port. The use of the port can become suspicious behavior in combination with other factors.

Source table ➝ proxy.all.access

Dynamic DNS services should be associated in several cases with malware and fraud campaigns. Even could be part of a content filter bypass technique used by internal systems.

Source table ➝ proxy.all.access