external_http_beacon

Explanation

Malware often engages in repeated communications with command and control systems, to check for instructions or updates. The external_http_beacon NDM detects network communications over http (port 80) that have a repeating pattern, similar to the sort of communications associated with malware beaconing.

What to Look For

This NDM is opt-in, and may require some tuning to be effective on noisy networks. Many legitimate software applications engage in beaconing behavior, to check for software updates, or updates to information such as social media posts or the weather. Internet IP addresses that are identified by this NDM should be checked for IP Reputation, Reverse DNS, and Whois information to determine whether they are benign or suspicious. Configuring discards for IP ranges or AS organizations can help reduce false positives.

Related MITRE ATT&CK Categories

Command and Control TA0011