Requests For beacon.http-get. Help Us Figure Out What They Are Looking For

Published: 2022-07-19. Last Updated: 2022-07-19 14:19:16 UTC
by Johannes Ullrich (Version: 1)
0 comment(s)

Based on our First Seen URLs page, we started seeing more requests for 'beacon.http-get' these last few days. The requests are going back a while now but have been increasing.

At this point, I have no idea what they could be looking for. Maybe some backdoor installed on systems? Command and Control servers (something Cobalt Strike like?). 

Many requests originate from the 162.19/16 subnet. Here is a summary by /24s with more than ten hits yesterday. There are 19 /24s originating the traffic (and a total of 63 different IP addresses). 169.19/17 appears to be owned by OVH, and no specific detailed assignment information is available.

Source /24 Count
162.19.93.0/24 69
162.19.92.0/24 41
162.19.50.0/24 17
162.19.55.0/24 16
162.19.53.0/24 16
162.19.54.0/24 13
162.19.51.0/24 12
135.125.88.0/24 10

All requests appear to use the same user agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0). 

---
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
Twitter|

Keywords: beacon http
0 comment(s)
ISC Stormcast For Tuesday, July 19th, 2022 https://isc.sans.edu/podcastdetail.html?id=8092

Comments

Login here to join the discussion.


Diary Archives