Skip to content
Threat Feed
high advisory

OpenCanary HTTPPROXY Login Attempt Detection

Detection of attempted HTTP proxy use on an OpenCanary node, indicating potential reconnaissance or lateral movement by an attacker attempting to proxy another page.

This threat brief focuses on detecting malicious attempts to use an OpenCanary node as an HTTP proxy. OpenCanary is a low-interaction honeypot designed to detect intruders on a network. An attacker attempting to use an OpenCanary node as an HTTP proxy is a strong indicator of reconnaissance or lateral movement, as they are attempting to route their traffic through the honeypot. This activity is logged by OpenCanary and can be detected with appropriate monitoring. The default configuration of OpenCanary includes an HTTPPROXY service that listens for proxy requests. Defenders should monitor OpenCanary logs for event ID 7001, which indicates an attempted HTTP proxy login.

Attack Chain

  1. Attacker gains initial access to a network (e.g., through phishing or exploiting a vulnerability).
  2. Attacker performs network reconnaissance to identify potential targets, including the OpenCanary node.
  3. Attacker attempts to configure their system or tools to use the OpenCanary node as an HTTP proxy.
  4. The attacker sends HTTP requests through the configured proxy, attempting to reach other systems on the network.
  5. OpenCanary logs the attempted proxy connection with event ID 7001.
  6. The defender detects the suspicious HTTP proxy attempt in the OpenCanary logs.

Impact

A successful HTTP proxy attempt indicates that an attacker is actively exploring the network and attempting to move laterally. This could lead to further compromise of sensitive systems and data exfiltration. While the OpenCanary node itself is a honeypot and not a production asset, the detection of proxy attempts signals a breach and ongoing malicious activity within the network.

Recommendation

  • Deploy the provided Sigma rule OpenCanary HTTPPROXY Login Attempt to your SIEM and tune for your environment to detect unauthorized proxy attempts on OpenCanary nodes.
  • Investigate any alerts generated by the Sigma rule to determine the source and target of the attempted proxy connection.
  • Review OpenCanary configuration to ensure that the HTTPPROXY service is properly configured and secured.
  • Implement network segmentation to limit the impact of potential lateral movement by attackers.

Detection coverage 2

OpenCanary HTTPPROXY Login Attempt

high

Detects instances where an HTTPPROXY service on an OpenCanary node has had an attempt to proxy another page.

sigma tactics: command-and-control, initial-access techniques: T1090 sources: application, opencanary

OpenCanary HTTPPROXY Service Started

info

Detects the starting of HTTPPROXY service on an OpenCanary node

sigma tactics: command-and-control, initial-access techniques: T1090 sources: application, opencanary

Detection queries are kept inside the platform. Get full rules →