Hidden HTTPS Tunnel - detection showing proxy IP as target

When traffic is sent through a proxy, the Vectra platform only sees the connection between the client and the proxy. The proxy then handles communication with the final destination (i.e. external IP), which is not directly visible to Vectra.

Because of this, detections may show the proxy IP address as the target. However, for HTTPS traffic, Vectra can still extract the destination domain from the CONNECT packet, allowing you to see the domain name even if the IP address belongs to a proxy.

This is normal behavior and does not indicate an issue with detection accuracy. You can refer to below article for more details:

Proxy handling: Proxy handling in Vectra

Data Smuggler with proxy: Why would Data Smuggler list an internal IP address as the destination?

PreviousSuspicious Remote Desktop NextData Gathering - detected between Brain and Sensor

Last updated 1 month ago

Was this helpful?