ExtraHop Alert Details
Alert ID: EXTRAHOP-PROXY-1090-7842 Alert Time: 2024-02-28 10:30:22 EST Severity: HIGH (85/100) Source: ExtraHop Reveal(x) Rule: “Internal Host Acting as Proxy – Traffic Relaying Detected” MITRE ATT&CK: T1090.001 – Proxy: Connection Proxy
Alert Details:
Detection: Internal host relaying traffic to external destination
Proxy Host: 192.168.45.78 (ENG-WS-045 – Engineering) Client Host: 192.168.45.112 (SALES-WS-023 – Sales) External Destination: 185.143.221[.]89:443 (Bulgaria) Time: 10:15-10:30 EST
Traffic Pattern:
10:15:22 – SALES-WS-023 connects to ENG-WS-045 on port 8080
10:15:23 – ENG-WS-045 connects to 185.143.221[.]89:443
10:15:24 – Data flows: Sales -> Engineering -> External
10:15:30 – Response: External -> Engineering -> Sales
Pattern repeats every 60 seconds
Traffic Analysis:
Protocol: HTTP CONNECT method (proxying)
Data: Encrypted (TLS)
Volume: 2-5 KB per session
30 such sessions in 15 minutes
Detection Logic:
Internal host (ENG-WS-045) acting as proxy for another internal host
Destination is external malicious IP
Connection pattern indicates relay/proxy behavior
ENG-WS-045 was flagged for suspicious activity earlier
SOC Investigation Process
Step
Action
Tools Used
Findings
1. Alert Validation
Verify ExtraHop alert
ExtraHop Console
Confirmed proxy behavior
2. Source Investigation
Check ENG-WS-045
CrowdStrike Falcon
Host has Cobalt Strike beacon (SOCKS proxy)
3. Client Investigation
Check SALES-WS-023
CrowdStrike Falcon
Host also compromised (secondary beacon)
4. Immediate Action
Isolate both hosts
CrowdStrike
Both hosts quarantined
5. Malware Removal
Clean both hosts
CrowdStrike Live Response
Beacons removed; hosts reimaged
6. Threat Hunting
Check for other proxy traffic
ExtraHop, Splunk
No other instances found
Jira Incident Report
Ticket: SOC-2024-145 Summary: T1090 – Internal Host Used as Proxy for C2 Traffic Status: RESOLVED Resolution: MALICIOUS – Proxy Chain Broken Priority: P2 – MEDIUM Labels: T1090, proxy, socks, c2, extrahop, cobalt-strike Components: Network-Security, Endpoint-Security
INCIDENT ANALYSIS REPORT
1. Initial Context:
Detection Source: ExtraHop Reveal(x).
Alert: “Internal Host Acting as Proxy – Traffic Relaying Detected”.
Proxy Host: ENG-WS-045 (Engineering, IP 192.168.45.78).
Client Host: SALES-WS-023 (Sales, IP 192.168.45.112).
External Destination: 185.143.221[.]89:443.
Time: 2024-02-28 10:30 EST.
Technique: MITRE ATT&CK T1090.001 – Proxy: Connection Proxy.
2. Technical Analysis:
Attack Chain:
09:00 – ENG-WS-045 compromised (Cobalt Strike)
09:30 – Attacker sets up SOCKS proxy on ENG-WS-045
09:45 – Attacker compromises SALES-WS-023 using proxied connection
10:00 – SALES-WS-023 beacon configured to use ENG-WS-045 as proxy
10:15-10:30 – Traffic flows: Sales -> Engineering -> C2
10:30 – ExtraHop detects
Proxy Mechanism:
ENG-WS-045 running Cobalt Strike with SOCKS proxy feature
SALES-WS-023 beacon configured to route traffic through proxy
HTTP CONNECT method used to establish tunnel
All C2 traffic for Sales host appears to come from Engineering host
Compromised Hosts:
ENG-WS-045: Primary C2, proxy server
SALES-WS-023: Secondary beacon, using proxy
Attacker Intent:
Hide true source of secondary infections
Evade detection by making traffic appear from already-compromised host
Establish resilient C2 infrastructure
3. Investigation Findings:
Timeline:
09:00 – Engineering host compromised
09:30 – Proxy established
09:45 – Sales host compromised via proxy
10:15-10:30 – Proxy traffic
10:30 – ExtraHop alert
10:32 – SOC investigates
10:33 – Both hosts isolated
10:35 – Malware removed
Indicators of Compromise (IoCs):
Network:
– External C2: 185.143.221[.]89
– Proxy traffic: HTTP CONNECT to port 8080 on Engineering host
Hosts:
– ENG-WS-045 (Cobalt Strike, SOCKS proxy)
– SALES-WS-023 (Cobalt Strike)
4. Containment Actions:
Immediate Actions:
Isolated both hosts via CrowdStrike.
Terminated beacon processes.
Removed Cobalt Strike artifacts.
Blocked external C2 IP.
Host Remediation:
Both hosts reimaged.
Accounts secured (password resets, MFA).
Network Remediation:
Blocked internal proxy patterns (if possible).
5. Root Cause Analysis:
Primary Cause: Engineering host compromised, used as proxy to compromise Sales host.
Contributing Factors:
No MFA on accounts.
RDP allowed from internet.
No network segmentation between departments.
6. Business Impact:
Operational Impact: Two workstations offline for 3 hours.
Data Exposure: None (no exfiltration).
7. Remediation & Prevention:
Completed Actions:
Proxy chain broken.
Malware removed.
Accounts secured.
Technical Controls Enhanced:
Enforced MFA for all users.
Moved RDP behind VPN only.
Implemented network segmentation.
Enhanced monitoring for internal proxy patterns.
8. Conclusion:
An attacker compromised an engineering host and used it as a SOCKS proxy to compromise a sales workstation, routing C2 traffic through the internal host. ExtraHop detected the anomalous proxy behavior and enabled isolation of both hosts before any data exfiltration.
Closure Rationale: Proxy chain broken; malware removed; hosts secured.
Analyst: [Your Name], SOC Analyst Date: 2024-02-28 11:30 EST
End of Batch 21
Ready for your next batch of prompts whenever you are.
Batch 22: Command and Control Incident Reports
Here are the next 5 detailed SOC incident reports.