Beacons

  • Are there instances of beaconing observed in my network?

  • What external destinations are being beaconed to?

  • Which hosts are potentially infected, not just the IP address?

  • Does the beaconing cadence demonstrate unusual request/response frequency?

  • Is the payload size something I would normally see?

  • Does the beacon have a rare or unusual JA3 hash?

  • Is the traffic going to unusual external destination?

  • What is the privilege level of the hosts that are beaconing?

  • Are beaconing sessions obfuscated within a single, long connection?

  • Does the connection use unusual services and protocols?

References: