Requests For beacon.http-get. Help Us Figure Out What They Are Looking For
Based on our First Seen URLs page, we started seeing more requests for 'beacon.http-get' these last few days. The requests are going back a while now but have been increasing.
At this point, I have no idea what they could be looking for. Maybe some backdoor installed on systems? Command and Control servers (something Cobalt Strike like?).
Many requests originate from the 162.19/16 subnet. Here is a summary by /24s with more than ten hits yesterday. There are 19 /24s originating the traffic (and a total of 63 different IP addresses). 169.19/17 appears to be owned by OVH, and no specific detailed assignment information is available.
Source /24 | Count |
162.19.93.0/24 | 69 |
162.19.92.0/24 | 41 |
162.19.50.0/24 | 17 |
162.19.55.0/24 | 16 |
162.19.53.0/24 | 16 |
162.19.54.0/24 | 13 |
162.19.51.0/24 | 12 |
135.125.88.0/24 | 10 |
All requests appear to use the same user agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0).
---
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
Twitter|
Network Monitoring and Threat Detection In-Depth | Singapore | Nov 18th - Nov 23rd 2024 |
Comments