From 2123d366d0cf702749b52d06ded953a6c18de282 Mon Sep 17 00:00:00 2001
From: Joas A Santos <34966120+CyberSecurityUP@users.noreply.github.com>
Date: Tue, 16 Dec 2025 21:05:52 -0300
Subject: [PATCH] Create prompt-05.md

---
 Blue Team/prompt-05.md | 14 ++++++++++++++
 1 file changed, 14 insertions(+)
 create mode 100644 Blue Team/prompt-05.md

diff --git a/Blue Team/prompt-05.md b/Blue Team/prompt-05.md
new file mode 100644
index 0000000..d083ba7
--- /dev/null
+++ b/Blue Team/prompt-05.md	
@@ -0,0 +1,14 @@
+Threat-hunt this potential C2 indicator: <IP or DOMAIN>
+
+Observed pattern:
+- Periodicity: <e.g., every 60s/5m/random>
+- Bytes in/out: <RANGE>
+- Protocol: <HTTP(S)/DNS/ICMP/OTHER>
+- User-agent / SNI / JA3 (if known): <VALUES>
+- Affected hosts count: <N>
+
+Deliver:
+- Beaconing assessment (why/why not)
+- What to verify next (process lineage, scheduled tasks, persistence checks)
+- Containment recommendation threshold (when to isolate)
+- Detections to add (behavioral, not just IOC)