Suspect HTTP Activity

Triggers:

• Suspect HTTP Activity Detections are based upon the HTTP protocol.  
• These are high fidelity indicators which are usually looking for malicious User-Agents, specific unique byte values within HTTP payloads, or other positive indicators in the HTTP headers.

Possible Root Causes:

• A host is compromised with malware and initiates a connection to an external resource over the HTTP protocol.
• Breach simulation software which may emulate known malware and C2 frameworks over the C2 protocol.

Business Impact:

• Command and Control channels can enable attackers to carry out malicious activity within an organization and are typically an early indicator that a malicious actor has access to your environment.  These should be investigated to determine if they are malicious true positives, and acted upon promptly.

Steps to Verify:

• Examine the Detection page to validate whether the HTTP detection details is consistent with public resources of threat information.
• Examine the destination server to see if it has any known reputation, is newly registered, or is associated with an application that exhibits behaviors similar to the detection.
• Examine the PCAP to see if the artifacts are consistent with the malware / C2 framework identified in the SPA detection title.
• Check if the user has knowingly installed the malware or is using a the tool defined in the detection title.
• Scan the endpoint to look for signs of malware, validate the process that is associated with the network connection documented in the detection.