OpenCanary - HTTPPROXY Login Attempt
Detects instances where an HTTPPROXY service on an OpenCanary node has had an attempt to proxy another page.
Sigma rule (View on GitHub)
1title: OpenCanary - HTTPPROXY Login Attempt
2id: 5498fc09-adc6-4804-b9d9-5cca1f0b8760
3status: test
4description: |
5 Detects instances where an HTTPPROXY service on an OpenCanary node has had an attempt to proxy another page.
6references:
7 - https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration
8 - https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52
9author: Security Onion Solutions
10date: 2024-03-08
11tags:
12 - attack.initial-access
13 - attack.defense-evasion
14 - attack.command-and-control
15 - attack.t1090
16logsource:
17 category: application
18 product: opencanary
19detection:
20 selection:
21 logtype: 7001
22 condition: selection
23falsepositives:
24 - Unlikely
25level: high
References
-
Configuration Since we have many services, and each service has a few options, we have listed them all for you. Services Configuration We have gone ahead and listed all the services by their config...
Read More -
Modular and decentralised honeypot. Contribute to thinkst/opencanary development by creating an account on GitHub.
Read More
Related rules
- New Port Forwarding Rule Added Via Netsh.EXE
- New PortProxy Registry Entry Added
- RDP Port Forwarding Rule Added Via Netsh.EXE
- Communication To LocaltoNet Tunneling Service Initiated
- Communication To LocaltoNet Tunneling Service Initiated - Linux