Hunting for Command and Control Beaconing When to Use - When proactively hunting for compromised systems in the network - After threat intel indicates C2 frameworks targeting your industry - When investigating periodic outbound connections to suspicious domains - During incident response to identify active C2 channels - When DNS query logs show unusual patterns to specific domains Prerequisites - Network proxy/firewall logs with full URL and timing data - DNS query logs (passive DNS, DNS server logs, or Sysmon Event ID 22) - Zeek/Bro network connection logs or NetFlow data - SIEM with statist…