Threat Hunting - HTTP Requests Without Domain Names

Introduction

This is a crucial search for Threat Hunting sessions as it covers a broad spectrum of threats, including C2, stealers, and droppers. Most of them request an IP address through HTTP requests for data collection and exfiltration, rather than a domain name, as this approach is easier to detect and block.

From the identification of C2 communication to bypassing content filters, and from malicious downloads to data exfiltration, the absence of a domain name in an HTTP request often signals behavior worth investigating in a controlled environment.

The Search Query

The following search query is designed to find HTTP requests made by internal IP address to an url without domain names.

It uses a specific regex pattern to match HTTP requests without domain names in your proxy logs within the field url and it excludes internal IP addresses from the field dest_ip (you may have some internal sites serving services without domain names, and we don’t want to see that)

Splunk search

`myproxylogs` url=*
  NOT (dest_ip IN ("10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16"))
  | regex url =^(http|https|tunnel)\:\/\/\d*\.\d*\.\d*\.\d*\/[\W|\w]
  | stats values(url)
    earliest(_time) as firsttime
    latest(_time) as lasttime
    values(action)
    values(index)
    values(sourcetype)
    values(http_user_agent)
    values(src_user)
    values(dest_ip)
    values(dest_port)
    values(http_method)
    count by src_ip
  | rename values(*) as *
  | convert ctime(*time)

• myproxylogs: This is a macro to search in the proxy logs. It's essential to modify this part with your search macro, tags or index/sourcetype relevant to your proxy logs.
• Regex Pattern (/[\W|\w]): This part of the query is used to match HTTP requests without domain names, focusing on retrieving files and not just the IP address (removing a lot of noise)
• Aggregation by src_user instead of src_ip: Depending on your use case and the available information, it might be more relevant to aggregate by src_user if the field is always filled. This can be crucial, especially when dealing with VIP src_ip addresses with multiple users behind.

Triage

• check the url, the keywords pattern, google search it surronded by double quote, it may help identify a known legitimate service
• Bulk whois with the site ipbulklookup on the IP address destination list can quickly help you identify services that could be legitimate within your enterprise (you can also implement an automatic enrichment script with your SIEM). if the IP address belong to a legitimate service used within your environment, you can find the ASN associated with the IP address and exclude the range IP of the ASN, find the ASN range IP addresses on https://bgp.he.net/.

If you have few results for this search, you can change the regex from `^(http|https|tunnel)\:\/\/\d*\.\d*\.\d*\.\d*\/[\W|\w]` to `^(http|https|tunnel)\:\/\/\d*\.\d*\.\d*\.\d*\` and enjoy more false positives to exclude (you may see a lot of microsoft IP address depending on your windows update configuration)

Detection rule

Implementing a detection rule with this search is very demanding and difficult to implement.

It can be done, but it will require substantial effort to filter out legitimate requests from the services used within your enterprise.

Knowing your environment is absolutely necessary here, and the detection rule should be executed on at least a month’s worth of data to have relevant exclusions.

It is better suited for Threat Hunting.

Good luck

The triage can be difficult, but when it’s done, the results are worth it !

I highly recommand hunting for this in your environment, i managed to find a lot of phishing attempts, malicious download and C2 communications.

Let me know what you find and happy hunting !