Home > SOC Analysis

Proxy Logs

Proxy logs provide visibility into all web traffic leaving an organization. They reveal which users accessed which websites, what files they downloaded, what URLs they requested, which domains were contacted, and whether connections were allowed or blocked.
For SOC analysts, proxy logs are essential for detecting malware downloads, C2 communication, phishing activity, domain abuse, data exfiltration, and malicious browsing behavior.

This chapter covers proxy logs in full-scale, ultra-practical SOC depth with raw examples, field interpretation, detection patterns, SIEM queries, and complete attack timelines.

What Proxy Logs Capture

Proxy logs record all HTTP/HTTPS web activity, including:

  • Source IP or user

  • Destination URL

  • Domain/IP

  • HTTP method (GET/POST)

  • URI path

  • User-Agent

  • Response codes

  • File downloads

  • Categories (malware/phishing/unknown)

  • Action (allow/block)

  • Bytes transferred

  • SSL inspection results

Proxy logging is often the first indicator of malware infection.

Common Proxy Solutions

Organizations use proxies such as:

  • Squid Proxy

  • Blue Coat / Symantec ProxySG

  • Zscaler Internet Access

  • Cisco Umbrella

  • FortiProxy

  • Palo Alto URL Filtering

  • Websense / Forcepoint

Logs are normalized into SIEM for detection.

Raw Proxy Log Examples (SOC-Level)

Below are the raw logs exactly how analysts encounter them.

1. Malware Download Attempt

2025-01-10T02:22:11Z SRC=10.0.0.5 USER=mayur URL=http://maliciousdomain.ru/payload.exe ACTION=ALLOW CATEGORY=malware BYTES=452112

Interpretation:

  • Internal user downloaded a suspicious executable

  • Domain flagged as malware

  • Major compromise indicator

2. Phishing Site Access

SRC=10.0.0.12 USER=john URL=https://office365-login-auth.com ACTION=BLOCK CATEGORY=phishing

Interpretation:

  • User attempted to visit phishing site

  • Check if credentials were entered

  • Validate user security awareness

3. C2 Beacon Over HTTPS

SRC=10.0.0.5 URL=https://abcxjwy3pqo.biz/beacon POST 204

Signs of C2:

  • Random domain

  • Minimum content

  • Regular beacon pattern

4. Suspicious File Download

SRC=10.0.0.7 URL=https://cdn.unknownsite.com/update.ps1 ACTION=ALLOW

PowerShell script downloads are high-risk.

5. High Data Upload (Exfiltration)

SRC=10.0.0.9 METHOD=POST URL=https://file.io/upload SIZE_OUT=5123344 ACTION=ALLOW

Large outbound POST request indicates possible data exfiltration.

6. Repeated Requests to Newly Registered Domain

SRC=10.0.0.11 URL=http://xhduwq-newlymade.info/status

Attacker-controlled domains are often newly created.

7. URL Path for Exploit Kit

URL=http://compromised.com/ek/landing.php?id=4421
CATEGORY=malware

Exploit kits use predictable patterns.

Proxy Log Fields (What SOC Analysts Look At)

1. SRC / user

Identify compromised hosts or insider threats.

2. URL / Domain

Red flags:

  • Newly registered

  • Random strings

  • Foreign TLDs

  • Free hosting platforms

3. HTTP Method

  • GET → download/request

  • POST → uploads (exfiltration)

  • CONNECT → HTTPS tunnel

4. Response Codes

  • 200 → normal but could be malicious

  • 302 → phishing redirect

  • 404 → malware C2 fallback

  • 500 → server-side exploit failures

5. Category

  • malware

  • phishing

  • unknown

  • anonymizers

  • dynamic DNS

6. Bytes In/Out

Large outgoing data = exfiltration.

7. User-Agent

Attackers often use:

  • python-requests

  • curl

  • powershell

  • custom agents

8. SSL Inspection

If bypassed → malware hiding in HTTPS.

Attack Behavior Visible in Proxy Logs

1. Malware Download

payload.exe, update.ps1, shell.py

2. C2 Communication

  • Small periodic POST/GET requests

  • Random subdomains

  • Non-standard ports

3. Phishing

office365-verification-login.com
banking-auth-check.net

4. DNS Tunneling Over HTTP

Requests with long random URL parameters.

5. TOR/Proxy Avoidance

URL=https://check.torproject.org/

6. Data Exfiltration

Large POST requests to:

  • file-sharing websites

  • pastebins

  • cloud buckets

7. Drive-by Downloads

Requests to exploit kit URL paths.

High-Risk Indicators in Proxy Logs

Analysts watch for:

  • Executable downloads

  • PowerShell script downloads

  • Unknown/uncategorized domains

  • Newly registered domains

  • Foreign TLDs (.ru, .cn, .su)

  • C2 beacon patterns

  • Large outbound uploads

  • Inconsistent User-Agent strings

  • Access to known phishing/malware sites

These indicators usually lead directly to compromise investigations.

SIEM Queries (Practical)

Detect malware downloads

URL:*exe OR URL:*ps1 OR URL:*sh OR URL:*bat

Detect phishing

CATEGORY:phishing OR URL:*login* OR URL:*verify*

Detect C2 beaconing

POST AND bytes_out < 500 AND repeated every 30 seconds

Detect newly registered malicious domains

domain_age < 30 AND ACTION:ALLOW

Detect data exfiltration

POST AND bytes_out > 1000000

Detect TOR usage

URL:*torproject.org*

Detect script downloads

URL:*download* AND (ps1 OR py OR js)

Full Attack Timeline Using Proxy Logs

Step 1 — Phishing Email

User clicks link:

URL=https://office365-auth-check.com

Step 2 — User Downloads Malware

URL=http://malicious.ru/dropper.exe ACTION=ALLOW

Step 3 — Malware Downloads Second Stage

URL=http://evilcdn.ru/beacon.ps1

Step 4 — C2 Communication

POST /status SMALL SIZE 204 response every 60 seconds

Step 5 — Data Exfiltration

POST https://transfer.sh/upload SIZE_OUT=4201133

Proxy logs reveal phishing → malware → C2 → exfiltration.

Analyst Workflow Using Proxy Logs

  1. Identify suspicious domains or URLs

  2. Check user identity and host

  3. Validate URL category (malware/phishing/unknown)

  4. Check file types downloaded

  5. Review POST requests for uploads

  6. Correlate with endpoint activity (Sysmon/process logs)

  7. Examine DNS/firewall logs for extra evidence

  8. Build timeline from phishing to compromise

  9. Escalate to IR if malicious

Proxy logs allow analysts to detect an attack before the malware even runs, simply by observing dangerous web activity.

Intel Dump

  • Proxy logs capture all web requests including URLs, domains, methods, response codes, categories, and user identities.

  • Reveal malware downloads, C2 traffic, phishing attempts, exfiltration, exploit kits, and script downloads.

  • High-risk indicators include executable downloads, unknown domains, random URLs, suspicious POST requests, and large uploads.

  • SIEM queries detect phishing, malware downloads, beaconing patterns, TOR usage, and exfiltration.

  • Proxy logs map full attack chains from phishing → malware → beacon → exfiltration.

HOME LEARN COMMUNITY DASHBOARD