# Beacons

* Are there instances of beaconing observed in my network?
* What external destinations are being beaconed to?
* Which hosts are potentially infected, not just the IP address?
* Does the beaconing cadence demonstrate unusual request/response frequency?
* Is the payload size something I would normally see?
* Does the beacon have a rare or unusual JA3 hash?
* Is the traffic going to unusual external destination?
* What is the privilege level of the hosts that are beaconing?
* Are beaconing sessions obfuscated within a single, long connection?
* Does the connection use unusual services and protocols?

## References: 

* [https://www.activecountermeasures.com/threat-simulation-beacons](https://www.activecountermeasures.com/threat-simulation-beacons/)
* <https://www.blackhillsinfosec.com/detecting-malware-beacons-with-zeek-and-rita/>
* <https://www.vectra.ai/blogpost/not-all-data-is-created-the-same>