Requests For beacon.http-get. Help Us Figure Out What They Are Looking For

Published: 2022-07-19
Last Updated: 2022-07-19 14:19:16 UTC
by Johannes Ullrich (Version: 1)
0 comment(s)

Based on our First Seen URLs page, we started seeing more requests for 'beacon.http-get' these last few days. The requests are going back a while now but have been increasing.

At this point, I have no idea what they could be looking for. Maybe some backdoor installed on systems? Command and Control servers (something Cobalt Strike like?). 

Many requests originate from the 162.19/16 subnet. Here is a summary by /24s with more than ten hits yesterday. There are 19 /24s originating the traffic (and a total of 63 different IP addresses). 169.19/17 appears to be owned by OVH, and no specific detailed assignment information is available.

Source /24 Count 69 41 17 16 16 13 12 10

All requests appear to use the same user agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0). 

Johannes B. Ullrich, Ph.D. , Dean of Research,

Keywords: beacon http
0 comment(s)


Diary Archives