Comment on page
Beacons
- Are there instances of beaconing observed in my network?
- What external destinations are being beaconed to?
- Which hosts are potentially infected, not just the IP address?
- Does the beaconing cadence demonstrate unusual request/response frequency?
- Is the payload size something I would normally see?
- Does the beacon have a rare or unusual JA3 hash?
- Is the traffic going to unusual external destination?
- What is the privilege level of the hosts that are beaconing?
- Are beaconing sessions obfuscated within a single, long connection?
- Does the connection use unusual services and protocols?
Last modified 3yr ago