C2 Matrix
  • The C2 Matrix
  • About
  • SANS Slingshot C2 Matrix VM
  • Contribute
  • Feedback
  • Lab Infrastructure
    • C2 Matrix Eval Lab
    • Basic Lab
    • Virtual Machines with C2s
    • Docker
    • Resources
  • C2
    • Caldera
    • Covenant
    • Deimos
    • Empire3
    • Empire5
    • Havoc
    • ibombshell
    • Koadic
    • Merlin
    • Mythic
    • Nuages
    • PoshC2
    • PowerHub
    • SilentTrinity
    • Sliver
    • SCYTHE
    • TrevorC2
  • Attack Infrastructure
    • Resources
    • Redirectors/Relays
  • Detection
    • Basics
    • Beacons
    • JA3/JA3S Hashes
    • JARM
Powered by GitBook
On this page

Was this helpful?

  1. Detection

Beacons

PreviousBasicsNextJA3/JA3S Hashes

Last updated 5 years ago

Was this helpful?

  • Are there instances of beaconing observed in my network?

  • What external destinations are being beaconed to?

  • Which hosts are potentially infected, not just the IP address?

  • Does the beaconing cadence demonstrate unusual request/response frequency?

  • Is the payload size something I would normally see?

  • Does the beacon have a rare or unusual JA3 hash?

  • Is the traffic going to unusual external destination?

  • What is the privilege level of the hosts that are beaconing?

  • Are beaconing sessions obfuscated within a single, long connection?

  • Does the connection use unusual services and protocols?

References:

https://www.activecountermeasures.com/threat-simulation-beacons
https://www.blackhillsinfosec.com/detecting-malware-beacons-with-zeek-and-rita/
https://www.vectra.ai/blogpost/not-all-data-is-created-the-same