C2 Matrix
C2 Matrix
C2 Matrix
C2 Matrix
The C2 Matrix
SANS Slingshot C2 Matrix Edition
Contribute
Lab Infrastructure
C2 Matrix Eval Lab
Basic Lab
Virtual Machines with C2s
Docker
Resources
C2
Caldera
Covenant
Empire
Faction
ibombshell
Koadic
Merlin
Mythic
Nuages
PoshC2
PowerHub
SilentTrinity
Sliver
SCYTHE
TrevorC2
Attack Infrastructure
Resources
Redirectors/Relays
Detection
Basics
Beacons
JA3/JA3S Hashes
JARM
Powered by GitBook

Beacons

  • Are there instances of beaconing observed in my network?

  • What external destinations are being beaconed to?

  • Which hosts are potentially infected, not just the IP address?

  • Does the beaconing cadence demonstrate unusual request/response frequency?

  • Is the payload size something I would normally see?

  • Does the beacon have a rare or unusual JA3 hash?

  • Is the traffic going to unusual external destination?

  • What is the privilege level of the hosts that are beaconing?

  • Are beaconing sessions obfuscated within a single, long connection?

  • Does the connection use unusual services and protocols?

References:

Detection - Previous
Basics
Next - Detection
JA3/JA3S Hashes
Last updated 1 year ago