Sign In
- Platform
- Solutions
- Modern NDR
- Resources
- Company
Platform
Modern NDR
Resources
Platform
Modern NDR
Resources
DETECTION OVERVIEW
Risk Factors
Exchanging data between a victim and a command-and-control (C&C) server through an HTTP tunnel is a common technique that can be easily performed through several tools. HTTP tunnels can help an attacker maintain contact with a compromised device while evading intrusion detection systems.
Kill Chain
Risk Score
—
A web proxy routes requests from an HTTP client to a different server.
An attacker can leverage a web proxy to establish an HTTP tunnel that encrypts communication between a compromised device and an attacker-controlled C&C server, or to access non-HTTP data on an otherwise inaccessible device. First, the attacker sends an HTTP request that includes the CONNECT method to a web server, establishing a persistent HTTP connection. The session is often, but not always, established over SSL/TLS. Next, the client and C&C server can exchange non-HTTP traffic (such as commands or data) through the tunnel.
Legitimate use cases for the HTTP Connect method include securing, monitoring, and managing north-south traffic through a web proxy. This legitimate activity can appear similar to C&C activity.
