Comment on page

Beacons

​
Are there instances of beaconing observed in my network?
What external destinations are being beaconed to?
Which hosts are potentially infected, not just the IP address?
Does the beaconing cadence demonstrate unusual request/response frequency?
Is the payload size something I would normally see?
Does the beacon have a rare or unusual JA3 hash?
Is the traffic going to unusual external destination?
What is the privilege level of the hosts that are beaconing?
Are beaconing sessions obfuscated within a single, long connection?
Does the connection use unusual services and protocols?
References: 
​https://www.activecountermeasures.com/threat-simulation-beacons​
​https://www.blackhillsinfosec.com/detecting-malware-beacons-with-zeek-and-rita/​
​https://www.vectra.ai/blogpost/not-all-data-is-created-the-same​

Detection - Previous

Basics

Next - Detection

JA3/JA3S Hashes

Last modified 3yr ago