external_http_beacon
Explanation
Malware often engages in repeated communications with command and control systems, to check for instructions or updates. The external_http_beacon NDM detects network communications over http (port 80) that have a repeating pattern, similar to the sort of communications associated with malware beaconing.
What to Look For
This NDM is opt-in, and may require some tuning to be effective on noisy networks. Many legitimate software applications engage in beaconing behavior, to check for software updates, or updates to information such as social media posts or the weather. Internet IP addresses that are identified by this NDM should be checked for IP Reputation, Reverse DNS, and Whois information to determine whether they are benign or suspicious. Configuring discards for IP ranges or AS organizations can help reduce false positives.
Related MITRE ATT&CK Categories
Updated about 1 month ago