# external\_http\_beacon

**Explanation**

Malware often engages in repeated communications with command and control systems, to check for instructions or updates. The external\_http\_beacon NDM detects network communications over http (port 80) that have a repeating pattern, similar to the sort of communications associated with malware beaconing.

**What to Look For**

This NDM is opt-in, and may require some tuning to be effective on noisy networks. Many legitimate software applications engage in beaconing behavior, to check for software updates, or updates to information such as social media posts or the weather. Internet IP addresses that are identified by this NDM should be checked for IP Reputation, Reverse DNS, and Whois information to determine whether they are benign or suspicious. Configuring discards for IP ranges or AS organizations can help reduce false positives.

**Related MITRE ATT\&CK Categories**

[Command and Control: Application Layer Protocol, Technique T1071 - Enterprise](https://attack.mitre.org/techniques/T1071)


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.fusion.vectra.ai/detection-models/library/post-compromise/external_http_beacon.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.