Findings
Average Combined Header Size Elevated
Updated: June 19, 2025
Description
The average combined request and response header size has increased during the current observation period.
A significant increase in header sizes can be an indicator of malicious activity. Headers are usually static, and even where they contain dynamic content such as authentication tokens, those items are usually of a fixed size. Fluctuating header sizes indicate the presence of additional data which shouldn't be there.
Example Attack
An attacker may try to compromise a service via Host Header Injection, which add to the header length. Other attacks may try to modify authentication tokens in the header by adding new privileges or scopes, these modifications change the length of the authentication token. On compromised systems attacks may want to exfiltrate data in encoded chunks in response headers to avoid detection.
Remediation
Investigate what has caused the combined request and response headers sent to this API to increase significantly in size.
Security Frameworks
Execution consists of techniques that result in adversary-controlled code running on a local or remote system. Techniques that run malicious code are often paired with techniques from all other tactics to achieve broader goals, like exploring a network or stealing data. For example, an adversary might use a remote access tool to run a PowerShell script that does Remote System Discovery.
Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell.
Exfiltration consists of techniques that adversaries may use to steal data from your network. Once they've collected data, adversaries often package it to avoid detection while removing it. This can include compression and encryption. Techniques for getting data out of a target network typically include transferring it over their command and control channel or an alternate channel and may also include putting size limits on the transmission.
Adversaries may steal data by exfiltrating it over an existing command and control channel. Stolen data is encoded into the normal communications channel using the same protocol as command and control communications.
Impact consists of techniques that adversaries use to disrupt availability or compromise integrity by manipulating business and operational processes. Techniques used for impact can include destroying or tampering with data. In some cases, business processes can look fine, but may have been altered to benefit the adversaries' goals. These techniques might be used by adversaries to follow through on their end goal or to provide cover for a confidentiality breach.
Adversaries may perform Endpoint Denial of Service (DoS) attacks to degrade or block the availability of services to users. Endpoint DoS can be performed by exhausting the system resources those services are hosted on or exploiting the system to cause a persistent crash condition. Example services include websites, email services, DNS, and web-based applications. Adversaries have been observed conducting DoS attacks for political purposes and to support other malicious activities, including distraction, hacktivism, and extortion.