Based on our First Seen URLs page, we started seeing more requests for ‘beacon.http-get’ these last few days. The requests are going back a while now but have been increasing.
At this point, I have no idea what they could be looking for. Maybe some backdoor installed on systems? Command and Control servers (something Cobalt Strike like?).
Many requests originate from the 162.19/16 subnet. Here is a summary by /24s with more than ten hits yesterday. There are 19 /24s originating the traffic (and a total of 63 different IP addresses). 169.19/17 appears to be owned by OVH, and no specific detailed assignment information is available.
All requests appear to use the same user agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0).
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.