C2 Matrix
Search
K
Comment on page

Beacons

  • Are there instances of beaconing observed in my network?
  • What external destinations are being beaconed to?
  • Which hosts are potentially infected, not just the IP address?
  • Does the beaconing cadence demonstrate unusual request/response frequency?
  • Is the payload size something I would normally see?
  • Does the beacon have a rare or unusual JA3 hash?
  • Is the traffic going to unusual external destination?
  • What is the privilege level of the hosts that are beaconing?
  • Are beaconing sessions obfuscated within a single, long connection?
  • Does the connection use unusual services and protocols?

References: