T1583.005

Botnet

Adversaries may buy, lease, or rent a network of compromised systems (botnet) to use during targeting. Botnets provide adversaries with scalable infrastructure for phishing campaigns, DDoS attacks, credential stuffing, and covert C2 relay via Operational Relay Box (ORB) networks. Detection pivots from the unobservable acquisition event itself to observable usage patterns: volumetric inbound attacks against organizational infrastructure, internal hosts exhibiting botnet C2 beaconing behavior, ORB relay traffic routing through VPS/SOHO/IoT IP space, and DNS query patterns consistent with botnet domain generation or C2 resolution.

Microsoft Sentinel / Defender

kusto

// === QUERY 1: Botnet C2 Beaconing from Compromised Internal Host ===
// Detects internal processes making highly regular outbound connections to the same external IP
// (characteristic of botnet C2 beaconing at fixed intervals)
let ExcludedProcesses = dynamic(["svchost.exe", "SearchIndexer.exe", "MicrosoftEdgeUpdate.exe",
  "OneDrive.exe", "Teams.exe", "outlook.exe", "msedge.exe", "chrome.exe", "firefox.exe"]);
let ExcludedPorts = dynamic([80, 443, 53]);
DeviceNetworkEvents
| where Timestamp > ago(24h)
| where ActionType == "ConnectionSuccess"
| where RemoteIPType == "Public"
| where not(InitiatingProcessFileName has_any (ExcludedProcesses))
| where not(RemotePort in (ExcludedPorts))
| summarize
    ConnectionCount = count(),
    FirstSeen = min(Timestamp),
    LastSeen = max(Timestamp),
    DurationMinutes = datetime_diff('minute', max(Timestamp), min(Timestamp)),
    SampleCommandLine = any(InitiatingProcessCommandLine)
    by DeviceName, AccountName, InitiatingProcessFileName, InitiatingProcessId, RemoteIP, RemotePort
| where ConnectionCount >= 12
| where DurationMinutes >= 30
| extend ConnectionsPerHour = toreal(ConnectionCount) / (toreal(DurationMinutes) / 60.0)
// Regular beaconing: many connections, consistent rate
| where ConnectionsPerHour >= 4 and ConnectionsPerHour <= 120
| extend BeaconScore = case(
    ConnectionCount > 100 and DurationMinutes > 120, "Critical",
    ConnectionCount > 50, "High",
    ConnectionCount > 20, "Medium",
    "Low"
  )
| project Timestamp=LastSeen, DeviceName, AccountName, InitiatingProcessFileName,
    InitiatingProcessId, RemoteIP, RemotePort, ConnectionCount, DurationMinutes,
    ConnectionsPerHour, BeaconScore, SampleCommandLine
| sort by ConnectionCount desc

// === QUERY 2: Inbound Volumetric Botnet Attack Pattern (DDoS/Credential Stuffing) ===
// Detects high-rate inbound connections from many distinct source IPs within short time windows
// CommonSecurityLog covers perimeter firewall, WAF, or network device logs
// Uncomment and customize for your environment
// CommonSecurityLog
// | where TimeGenerated > ago(1h)
// | where DeviceAction !in~ ("deny", "block", "drop", "reset")
// | where DestinationPort in (80, 443, 8080, 8443, 22, 3389, 25, 587)
// | summarize
//     UniqueSourceIPs = dcount(SourceIP),
//     TotalRequests = count(),
//     SourceCountries = make_set(DeviceCustomString1, 20)
//     by DestinationIP, DestinationPort, bin(TimeGenerated, 5m)
// | where UniqueSourceIPs > 50 and TotalRequests > 500
// | extend AttackCategory = case(
//     DestinationPort in (80, 443, 8080, 8443), "HTTP Flood / Web Attack",
//     DestinationPort in (22, 3389), "Credential Stuffing / Brute Force",
//     DestinationPort in (25, 587), "Spam Campaign",
//     "Volumetric Flood"
//   )
// | sort by UniqueSourceIPs desc

// === QUERY 3: ORB Network Relay — Internal Host Acting as Relay Node ===
// Detects hosts receiving external connections AND initiating outbound connections to different external IPs
// Pattern: external IP connects in, host immediately connects out to different external IP (relay behavior)
let TimeWindow = 5m;
let InboundConnections = DeviceNetworkEvents
    | where Timestamp > ago(24h)
    | where ActionType == "InboundConnectionAccepted"
    | where RemoteIPType == "Public"
    | project InboundTime=Timestamp, DeviceName, InboundSourceIP=RemoteIP, LocalPort=LocalPort;
let OutboundConnections = DeviceNetworkEvents
    | where Timestamp > ago(24h)
    | where ActionType == "ConnectionSuccess"
    | where RemoteIPType == "Public"
    | where RemotePort !in (80, 443, 53)
    | project OutboundTime=Timestamp, DeviceName, OutboundDestIP=RemoteIP, OutboundPort=RemotePort,
        InitiatingProcessFileName, InitiatingProcessCommandLine;
InboundConnections
| join kind=inner OutboundConnections on DeviceName
| where OutboundTime between (InboundTime .. (InboundTime + TimeWindow))
| where InboundSourceIP != OutboundDestIP
| summarize
    RelayEvents = count(),
    InboundSources = make_set(InboundSourceIP, 10),
    OutboundTargets = make_set(OutboundDestIP, 10)
    by DeviceName, InitiatingProcessFileName
| where RelayEvents >= 3
| sort by RelayEvents desc

high severity medium confidence

Data Sources

Network Traffic: Network Connection Creation Network Traffic: Network Traffic Flow Microsoft Defender for Endpoint — DeviceNetworkEvents

Required Tables

DeviceNetworkEvents CommonSecurityLog

False Positives

CDN and telemetry clients (crash reporters, update services) making regular heartbeat connections to the same endpoint
Legitimate monitoring agents (Datadog, New Relic, Dynatrace) with fixed-interval health check beacons
Business applications with embedded polling loops for license validation or configuration retrieval
Load balancers and reverse proxies that accept external connections and forward to internal services — normal relay architecture
Peer-to-peer software (backup clients, VPN clients, collaborative tools) that maintain persistent connections to distributed infrastructure

Splunk

spl

| comment "=== QUERY 1: C2 Beaconing from Internal Host via Sysmon Network Events ==="
index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=3
NOT (DestinationIp="10.*" OR DestinationIp="172.16.*" OR DestinationIp="172.17.*"
  OR DestinationIp="172.18.*" OR DestinationIp="172.19.*" OR DestinationIp="172.20.*"
  OR DestinationIp="172.21.*" OR DestinationIp="172.22.*" OR DestinationIp="172.23.*"
  OR DestinationIp="172.24.*" OR DestinationIp="172.25.*" OR DestinationIp="172.26.*"
  OR DestinationIp="172.27.*" OR DestinationIp="172.28.*" OR DestinationIp="172.29.*"
  OR DestinationIp="172.30.*" OR DestinationIp="172.31.*"
  OR DestinationIp="192.168.*" OR DestinationIp="127.*" OR DestinationIp="169.254.*")
NOT (Image="*\\chrome.exe" OR Image="*\\firefox.exe" OR Image="*\\msedge.exe"
  OR Image="*\\Teams.exe" OR Image="*\\OneDrive.exe" OR Image="*\\outlook.exe")
NOT (DestinationPort=80 OR DestinationPort=443 OR DestinationPort=53)
| eval hour_bucket=strftime(_time, "%Y-%m-%d %H")
| stats
    count as connection_count,
    earliest(_time) as first_seen,
    latest(_time) as last_seen,
    dc(DestinationPort) as unique_ports,
    values(DestinationPort) as ports
    by host, Image, SourceIp, DestinationIp, hour_bucket
| where connection_count >= 8
| eval duration_minutes=round((last_seen - first_seen) / 60, 1)
| eval connections_per_hour=round(connection_count / (duration_minutes / 60), 1)
| where connections_per_hour >= 4 AND connections_per_hour <= 120
| eval beacon_score=case(
    connection_count > 100, "Critical",
    connection_count > 50, "High",
    connection_count > 20, "Medium",
    1=1, "Low"
  )
| table hour_bucket, host, Image, SourceIp, DestinationIp, ports, connection_count, duration_minutes, connections_per_hour, beacon_score
| sort - connection_count

`comment("=== QUERY 2: DNS Queries to Botnet / DGA Domains ===")`
`comment("Detects DNS lookups matching DGA patterns: short TTL, high entropy, many unique FQDNs to same registrar")`
`comment("index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=22")`
`comment("| eval domain_length=len(QueryName)")`
`comment("| eval label_count=mvcount(split(QueryName, "."))")`
`comment("| where domain_length > 20 AND label_count >= 3")`
`comment("| stats count as query_count, dc(QueryName) as unique_domains, values(QueryName) as queried_names by host, Image")`
`comment("| where unique_domains > 20 AND query_count > 50")`
`comment("| sort - unique_domains")`

`comment("=== QUERY 3: High-Volume Inbound from Distributed Sources (Firewall/Proxy logs) ===")`
`comment("index=network sourcetype=cisco:asa OR sourcetype=palo:traffic action!=deny")`
`comment("| stats dc(src_ip) as unique_src_ips, count as total_connections by dest_ip, dest_port, span(_time, 5m)")`
`comment("| where unique_src_ips > 50 AND total_connections > 500")`
`comment("| eval attack_type=case(dest_port IN("80","443","8080","8443"),"HTTP Flood",dest_port IN("22","3389"),"Cred Stuffing",1=1,"Volumetric")")`
`comment("| sort - unique_src_ips")`

high severity medium confidence

Data Sources

Network Traffic: Network Connection Creation Network Traffic: DNS Resolution Sysmon Event ID 3 (Network Connection) Sysmon Event ID 22 (DNS Query)

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

Legitimate telemetry and crash reporting services with fixed-interval connections to vendor infrastructure
Backup and sync agents (Veeam, Acronis, Carbonite) making regular connections to cloud storage endpoints
VPN and endpoint security agents that beacon home for policy updates and health status
Enterprise software license managers polling a fixed license server at regular intervals
Chatbot and help-desk integrations maintaining persistent websocket or long-poll connections

Elastic Security (EQL)

eql

// === QUERY 1: Botnet C2 Beaconing from Internal Host ===
sequence by host.name, process.entity_id, destination.ip with maxspan=24h
  [network where event.type == "connection" and event.outcome == "success"
   and network.direction == "outbound"
   and not destination.ip : ("10.*", "172.16.*", "172.17.*", "172.18.*", "172.19.*",
     "172.20.*", "172.21.*", "172.22.*", "172.23.*", "172.24.*", "172.25.*",
     "172.26.*", "172.27.*", "172.28.*", "172.29.*", "172.30.*", "172.31.*",
     "192.168.*", "127.*", "169.254.*", "::1", "fc00::/7")
   and not destination.port in (80, 443, 53)
   and not process.name in ("chrome.exe", "firefox.exe", "msedge.exe", "Teams.exe",
     "OneDrive.exe", "outlook.exe", "svchost.exe", "SearchIndexer.exe",
     "MicrosoftEdgeUpdate.exe")] with runs=12

// === QUERY 2: Inbound Volumetric Botnet Attack Pattern ===
// Aggregate approach — use this as an ES|QL query in Kibana
// FROM logs-*
// | WHERE event.category == "network" AND network.direction == "inbound"
// | WHERE destination.port in (80, 443, 8080, 8443, 22, 3389, 25, 587)
// | STATS unique_src = COUNT_DISTINCT(source.ip), total = COUNT() BY destination.ip, destination.port
// | WHERE unique_src > 50 AND total > 500

// === QUERY 3: ORB Relay — Host Relaying Between External IPs ===
sequence by host.name with maxspan=5m
  [network where event.type == "connection"
   and network.direction == "inbound"
   and not source.ip : ("10.*", "172.16.*", "172.17.*", "172.18.*", "172.19.*",
     "172.20.*", "172.21.*", "172.22.*", "172.23.*", "172.24.*", "172.25.*",
     "172.26.*", "172.27.*", "172.28.*", "172.29.*", "172.30.*", "172.31.*",
     "192.168.*", "127.*")] as e1
  [network where event.type == "connection"
   and network.direction == "outbound"
   and not destination.ip : ("10.*", "172.16.*", "172.17.*", "172.18.*", "172.19.*",
     "172.20.*", "172.21.*", "172.22.*", "172.23.*", "172.24.*", "172.25.*",
     "172.26.*", "172.27.*", "172.28.*", "172.29.*", "172.30.*", "172.31.*",
     "192.168.*", "127.*")
   and not destination.port in (80, 443, 53)
   and destination.ip != e1.source.ip] as e2

high severity medium confidence

Data Sources

Elastic Endpoint Security Windows Event Logs via Elastic Agent Network packet capture via Packetbeat Zeek/Suricata network logs

Required Tables

logs-endpoint.events.network-* logs-network_traffic.* logs-system.security-*

False Positives

Legitimate backup or sync software (e.g., Veeam, Carbonite) making regular scheduled connections to cloud endpoints at consistent intervals
Remote monitoring and management (RMM) agents such as ConnectWise, Datto, or Kaseya that beacon home at fixed intervals
Custom enterprise monitoring agents or heartbeat services that poll a central collector on non-standard ports
VPN concentrators or SD-WAN appliances that maintain persistent tunnels to peer nodes, appearing as inbound+outbound relay traffic
Tor exit nodes or anonymizing proxies legitimately deployed in the environment for research purposes

IBM QRadar (AQL)

sql

// === QUERY 1: C2 Beaconing — High-Frequency Regular Outbound Connections ===
SELECT
  DATEFORMAT(MIN(starttime), 'YYYY-MM-dd HH:mm:ss') AS first_seen,
  DATEFORMAT(MAX(starttime), 'YYYY-MM-dd HH:mm:ss') AS last_seen,
  sourceip,
  destinationip,
  destinationport,
  LOGSOURCENAME(logsourceid) AS log_source,
  COUNT(*) AS connection_count,
  LONG((MAX(starttime) - MIN(starttime)) / 60000) AS duration_minutes,
  CASE
    WHEN COUNT(*) > 100 AND LONG((MAX(starttime) - MIN(starttime)) / 60000) > 120 THEN 'Critical'
    WHEN COUNT(*) > 50 THEN 'High'
    WHEN COUNT(*) > 20 THEN 'Medium'
    ELSE 'Low'
  END AS beacon_score
FROM events
WHERE
  LOGSOURCETYPEID IN (12, 40, 352, 434)
  AND starttime > NOW() - 86400000
  AND eventdirection = 1
  AND NOT (destinationip INCIDR '10.0.0.0/8'
    OR destinationip INCIDR '172.16.0.0/12'
    OR destinationip INCIDR '192.168.0.0/16'
    OR destinationip INCIDR '127.0.0.0/8'
    OR destinationip INCIDR '169.254.0.0/16')
  AND destinationport NOT IN (80, 443, 53)
GROUP BY
  sourceip, destinationip, destinationport
HAVING
  COUNT(*) >= 12
  AND LONG((MAX(starttime) - MIN(starttime)) / 60000) >= 30
  AND (CAST(COUNT(*) AS FLOAT) / NULLIF(LONG((MAX(starttime) - MIN(starttime)) / 60000), 0) * 60.0) BETWEEN 4 AND 120
ORDER BY connection_count DESC

// === QUERY 2: Volumetric Inbound Attack from Distributed Sources ===
// SELECT
//   DATEFORMAT(FLOOR(starttime / 300000) * 300000, 'YYYY-MM-dd HH:mm:ss') AS time_bucket,
//   destinationip,
//   destinationport,
//   COUNT(DISTINCT sourceip) AS unique_source_ips,
//   COUNT(*) AS total_connections
// FROM events
// WHERE
//   starttime > NOW() - 3600000
//   AND eventdirection = 2
//   AND destinationport IN (80, 443, 8080, 8443, 22, 3389, 25, 587)
//   AND CATEGORYNAME(category) NOT IN ('Deny', 'Drop', 'Block')
// GROUP BY
//   FLOOR(starttime / 300000) * 300000, destinationip, destinationport
// HAVING
//   COUNT(DISTINCT sourceip) > 50 AND COUNT(*) > 500
// ORDER BY unique_source_ips DESC

// === QUERY 3: ORB Relay Detection — Inbound then Outbound Correlation ===
SELECT
  i.destinationip AS relay_host_ip,
  i.sourceip AS inbound_source,
  o.destinationip AS outbound_target,
  o.destinationport AS outbound_port,
  DATEFORMAT(i.starttime, 'YYYY-MM-dd HH:mm:ss') AS inbound_time,
  DATEFORMAT(o.starttime, 'YYYY-MM-dd HH:mm:ss') AS outbound_time,
  LONG((o.starttime - i.starttime) / 1000) AS relay_delay_seconds
FROM events i
INNER JOIN events o
  ON i.destinationip = o.sourceip
  AND o.starttime BETWEEN i.starttime AND i.starttime + 300000
  AND i.sourceip != o.destinationip
WHERE
  i.starttime > NOW() - 86400000
  AND i.eventdirection = 2
  AND NOT (i.sourceip INCIDR '10.0.0.0/8'
    OR i.sourceip INCIDR '172.16.0.0/12'
    OR i.sourceip INCIDR '192.168.0.0/16')
  AND NOT (o.destinationip INCIDR '10.0.0.0/8'
    OR o.destinationip INCIDR '172.16.0.0/12'
    OR o.destinationip INCIDR '192.168.0.0/16')
  AND o.destinationport NOT IN (80, 443, 53)
ORDER BY inbound_time DESC

high severity medium confidence

Data Sources

QRadar Network Activity (flows) Windows Security Event Log via QRadar WinCollect Firewall/IDS events via syslog Palo Alto, Cisco ASA, or Fortinet log sources

Required Tables

events flows

False Positives

SCCM or patch management systems making frequent scheduled connections to update servers on non-standard ports
VPN gateway appliances with persistent keepalive tunnels to remote peers generating regular connection events
Automated vulnerability scanners or asset inventory tools initiating connections to external IP ranges
Network Address Translation (NAT) devices appearing to relay traffic when internal hosts communicate through them
Cloud-connected backup appliances with regular replication jobs to fixed cloud endpoints

Sumo Logic CSE

sql

// === QUERY 1: C2 Beaconing Detection via Sysmon Network Events ===
_sourceCategory=windows/sysmon EventCode=3
| where !(DestinationIp matches /^10\./ or DestinationIp matches /^172\.(1[6-9]|2[0-9]|3[01])\./ or DestinationIp matches /^192\.168\./ or DestinationIp matches /^127\./ or DestinationIp matches /^169\.254\./)
| where !(Image matches /\\(chrome|firefox|msedge|Teams|OneDrive|outlook|svchost|SearchIndexer|MicrosoftEdgeUpdate)\.exe$/)
| where DestinationPort != 80 and DestinationPort != 443 and DestinationPort != 53
| timeslice 1h
| stats count as connection_count, min(_messageTime) as first_seen, max(_messageTime) as last_seen, count_distinct(DestinationPort) as unique_ports by _timeslice, Computer, Image, SourceIp, DestinationIp
| where connection_count >= 12
| eval duration_minutes = round((last_seen - first_seen) / 60000, 1)
| where duration_minutes >= 30
| eval connections_per_hour = round(connection_count / (duration_minutes / 60), 1)
| where connections_per_hour >= 4 and connections_per_hour <= 120
| eval beacon_score = if(connection_count > 100, "Critical", if(connection_count > 50, "High", if(connection_count > 20, "Medium", "Low")))
| fields _timeslice, Computer, Image, SourceIp, DestinationIp, connection_count, duration_minutes, connections_per_hour, beacon_score
| sort by connection_count desc

// === QUERY 2: DNS Query Volume Spike — Possible DGA/Botnet Resolver ===
// _sourceCategory=windows/sysmon EventCode=22
// | count as query_count, count_distinct(QueryName) as unique_domains by Computer, Image
// | where query_count > 50 and unique_domains > 20
// | sort by unique_domains desc

// === QUERY 3: Inbound Volumetric Attack from Distributed Sources (Network/Firewall logs) ===
// _sourceCategory=network/firewall
// | where action != "deny" and action != "drop" and action != "block"
// | where dest_port in (80, 443, 8080, 8443, 22, 3389, 25, 587)
// | timeslice 5m
// | stats count_distinct(src_ip) as unique_src_ips, count as total_connections by _timeslice, dest_ip, dest_port
// | where unique_src_ips > 50 and total_connections > 500
// | eval attack_type = if(dest_port in (80,443,8080,8443), "HTTP Flood", if(dest_port in (22,3389), "Credential Stuffing", "Volumetric Flood"))
// | sort by unique_src_ips desc

// === QUERY 4: ORB Relay — Host Bridging External Inbound to External Outbound ===
// Run two queries and correlate with join or lookup
_sourceCategory=windows/sysmon EventCode=3
| where !(SourceIp matches /^10\./ or SourceIp matches /^172\.(1[6-9]|2[0-9]|3[01])\./ or SourceIp matches /^192\.168\./)
| where !(DestinationIp matches /^10\./ or DestinationIp matches /^172\.(1[6-9]|2[0-9]|3[01])\./ or DestinationIp matches /^192\.168\./)
| where DestinationPort != 80 and DestinationPort != 443 and DestinationPort != 53
| count as relay_events, count_distinct(SourceIp) as inbound_sources, count_distinct(DestinationIp) as outbound_targets by Computer, Image
| where relay_events >= 3 and inbound_sources >= 1 and outbound_targets >= 1
| sort by relay_events desc

high severity medium confidence

Data Sources

Sumo Logic Cloud SIEM with Windows Sysmon logs Firewall/network device syslog forwarded to Sumo Logic Zeek or Palo Alto network logs via Sumo Logic collector Windows DNS debug logs via Sumo Logic agent

Required Tables

windows/sysmon network/firewall dns/logs

False Positives

RMM tools (ConnectWise Control, TeamViewer, AnyDesk) making regular heartbeat connections to relay infrastructure on non-standard ports, producing both inbound and outbound relay-like patterns
Windows Update or WSUS agents checking multiple update servers in sequence with consistent intervals
Antivirus or EDR solutions performing regular telemetry uploads to cloud endpoints at fixed scheduled intervals
Multi-homed servers or dual-NIC hosts that legitimately bridge network segments, generating traffic patterns similar to ORB relay detection
Content delivery network (CDN) edge nodes or anycast infrastructure that receive and forward requests as part of normal operation

Google Chronicle / SecOps

yaral

rule botnet_c2_beaconing_internal_host {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects botnet C2 beaconing behavior: internal process making 10+ repeated outbound connections to the same external IP on non-standard ports at regular intervals (4-120/hr), characteristic of fixed-interval C2 polling"
    mitre_attack_tactic = "Resource Development"
    mitre_attack_technique = "T1583.005"
    severity = "HIGH"
    priority = "HIGH"

  events:
    $e.metadata.event_type = "NETWORK_CONNECTION"
    $e.network.direction = "OUTBOUND"
    $e.principal.ip = $src_ip
    $e.target.ip = $dst_ip
    $e.target.port = $dst_port
    $e.principal.process.file.full_path = $proc_path

    // Exclude RFC1918 / loopback / APIPA destinations
    not net.ip_in_range_cidr($e.target.ip, "10.0.0.0/8")
    not net.ip_in_range_cidr($e.target.ip, "172.16.0.0/12")
    not net.ip_in_range_cidr($e.target.ip, "192.168.0.0/16")
    not net.ip_in_range_cidr($e.target.ip, "127.0.0.0/8")
    not net.ip_in_range_cidr($e.target.ip, "169.254.0.0/16")

    // Exclude common browser and trusted system processes
    not re.regex($e.principal.process.file.full_path,
      `(?i)(chrome\.exe|firefox\.exe|msedge\.exe|Teams\.exe|OneDrive\.exe|outlook\.exe|svchost\.exe|SearchIndexer\.exe|MicrosoftEdgeUpdate\.exe)$`)

    // Exclude standard web/DNS ports
    $e.target.port != 80
    $e.target.port != 443
    $e.target.port != 53

  match:
    $src_ip, $dst_ip, $dst_port, $proc_path over 1h

  outcome:
    $connection_count = count_distinct($e.metadata.id)
    $sample_process = array_distinct($e.principal.process.file.full_path)
    $beacon_score = if($connection_count > 100, "Critical",
      if($connection_count > 50, "High",
        if($connection_count > 20, "Medium", "Low")))

  condition:
    #e >= 12
}

rule botnet_orb_relay_detection {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects ORB (Operational Relay Box) network relay behavior: host accepts external inbound connection then initiates outbound connection to different external IP within 5 minutes, indicating potential botnet relay node compromise"
    mitre_attack_tactic = "Resource Development"
    mitre_attack_technique = "T1583.005"
    severity = "CRITICAL"
    priority = "HIGH"

  events:
    // Inbound connection from external source
    $inbound.metadata.event_type = "NETWORK_CONNECTION"
    $inbound.network.direction = "INBOUND"
    $inbound.principal.ip = $ext_src_ip
    $inbound.target.ip = $relay_host_ip
    not net.ip_in_range_cidr($inbound.principal.ip, "10.0.0.0/8")
    not net.ip_in_range_cidr($inbound.principal.ip, "172.16.0.0/12")
    not net.ip_in_range_cidr($inbound.principal.ip, "192.168.0.0/16")
    not net.ip_in_range_cidr($inbound.principal.ip, "127.0.0.0/8")

    // Outbound connection to different external target from same host
    $outbound.metadata.event_type = "NETWORK_CONNECTION"
    $outbound.network.direction = "OUTBOUND"
    $outbound.principal.ip = $relay_host_ip
    $outbound.target.ip = $ext_dst_ip
    not net.ip_in_range_cidr($outbound.target.ip, "10.0.0.0/8")
    not net.ip_in_range_cidr($outbound.target.ip, "172.16.0.0/12")
    not net.ip_in_range_cidr($outbound.target.ip, "192.168.0.0/16")
    not net.ip_in_range_cidr($outbound.target.ip, "127.0.0.0/8")
    $outbound.target.port != 80
    $outbound.target.port != 443
    $outbound.target.port != 53

    // Inbound source and outbound destination must differ (true relay)
    $ext_src_ip != $ext_dst_ip

  match:
    $relay_host_ip over 5m

  outcome:
    $relay_events = count_distinct($outbound.metadata.id)
    $inbound_sources = array_distinct($ext_src_ip)
    $outbound_targets = array_distinct($ext_dst_ip)

  condition:
    #outbound >= 3 and #inbound >= 1
}

high severity medium confidence

Data Sources

Google Chronicle UDM with Endpoint Detection telemetry Windows event forwarding via Chronicle forwarder Network flow logs ingested to Chronicle Palo Alto or Fortinet firewall logs normalized to UDM

Required Tables

UDM events with event_type NETWORK_CONNECTION UDM events with network.direction INBOUND/OUTBOUND

False Positives

Automated CI/CD pipeline agents making repeated connections to artifact repositories or build servers at scheduled intervals
Corporate proxy or load balancer appliances that receive inbound client connections and forward to backend pools, appearing as relay nodes
Remote access tools with persistent heartbeat connections to relay infrastructure outside standard ports (e.g., Cloudflare Tunnel, ngrok)
Network monitoring systems that actively poll multiple external endpoints for uptime checks at regular intervals
Cloud-synced collaboration tools with custom relay infrastructure on non-standard ports (e.g., enterprise Zoom, Webex with dedicated ports)

CrowdStrike LogScale (CQL)

cql

// === QUERY 1: C2 Beaconing via NetworkConnectIP4 Events ===
#event_simpleName=NetworkConnectIP4
| RemoteAddressIP4 != /^(10\.|172\.(1[6-9]|2[0-9]|3[01])\.|192\.168\.|127\.|169\.254\.)/
| RemotePort != 80 RemotePort != 443 RemotePort != 53
| ImageFileName != /\\(chrome|firefox|msedge|MicrosoftEdge|Teams|OneDrive|outlook|svchost|SearchIndexer|MicrosoftEdgeUpdate)\.exe$/i
| groupBy([ComputerName, UserName, ImageFileName, ContextProcessId, RemoteAddressIP4, RemotePort],
    function=[
      count(as=connection_count),
      min(timestamp, as=first_seen),
      max(timestamp, as=last_seen),
      collect(CommandLine, limit=1, as=sample_cmdline)
    ])
| connection_count >= 12
| eval duration_minutes = (last_seen - first_seen) / 60000
| duration_minutes >= 30
| eval connections_per_hour = connection_count / (duration_minutes / 60)
| connections_per_hour >= 4 connections_per_hour <= 120
| eval beacon_score = case(
    connection_count > 100 AND duration_minutes > 120, "Critical",
    connection_count > 50, "High",
    connection_count > 20, "Medium",
    true(), "Low"
  )
| table([first_seen, last_seen, ComputerName, UserName, ImageFileName, ContextProcessId,
    RemoteAddressIP4, RemotePort, connection_count, duration_minutes, connections_per_hour,
    beacon_score, sample_cmdline])
| sort(connection_count, order=desc)

// === QUERY 2: DNS Requests to High-Entropy / Possible DGA Domains ===
// #event_simpleName=DnsRequest
// | DomainName != /\.(microsoft|windows|office|google|apple|amazon|akamai|cloudflare|fastly)\.com$/i
// | eval domain_len = length(DomainName)
// | domain_len > 20
// | groupBy([ComputerName, ImageFileName],
//     function=[count(as=query_count), countDistinct(DomainName, as=unique_domains)])
// | unique_domains > 20 query_count > 50
// | sort(unique_domains, order=desc)

// === QUERY 3: ORB Relay — Host Bridging Inbound and Outbound External Connections ===
// Step 1: Identify hosts with inbound external connections
#event_simpleName=NetworkReceiveAcceptIP4
| RemoteAddressIP4 != /^(10\.|172\.(1[6-9]|2[0-9]|3[01])\.|192\.168\.|127\.|169\.254\.)/
| groupBy([ComputerName, aid],
    function=[
      count(as=inbound_count),
      collect(RemoteAddressIP4, limit=10, as=inbound_sources)
    ])
| inbound_count >= 1
| join(
    // Step 2: Hosts with outbound external connections on non-standard ports
    {#event_simpleName=NetworkConnectIP4
    | RemoteAddressIP4 != /^(10\.|172\.(1[6-9]|2[0-9]|3[01])\.|192\.168\.|127\.|169\.254\.)/
    | RemotePort != 80 RemotePort != 443 RemotePort != 53
    | groupBy([ComputerName, aid],
        function=[
          count(as=outbound_count),
          collect(RemoteAddressIP4, limit=10, as=outbound_targets),
          collect(ImageFileName, limit=5, as=processes)
        ])
    | outbound_count >= 3},
    field=aid, include=[outbound_count, outbound_targets, processes]
  )
| eval relay_score = case(
    inbound_count > 10 AND outbound_count > 10, "Critical",
    inbound_count > 5 OR outbound_count > 5, "High",
    true(), "Medium"
  )
| table([ComputerName, inbound_count, inbound_sources, outbound_count, outbound_targets, processes, relay_score])
| sort(outbound_count, order=desc)

high severity medium confidence

Data Sources

CrowdStrike Falcon Endpoint Detection (NetworkConnectIP4) CrowdStrike Falcon DNS telemetry (DnsRequest) CrowdStrike Falcon network accept events (NetworkReceiveAcceptIP4) CrowdStrike Falcon ProcessRollup2 for process context

Required Tables

NetworkConnectIP4 NetworkReceiveAcceptIP4 DnsRequest ProcessRollup2

False Positives

Falcon sensor itself or other EDR agents making regular telemetry uploads to Falcon cloud infrastructure on non-standard ports
Software deployment tools (PDQ Deploy, Ansible, Chef) making repeated connections to managed endpoints in patterns resembling C2 polling
Custom enterprise application health monitors or watchdog processes that poll external status APIs at fixed intervals
Legitimate peer-to-peer applications or torrent clients that maintain multiple external connections at consistent rates
Industrial IoT or OT systems with SCADA/HMI polling protocols that use non-standard ports and fixed polling intervals

Last updated: 2026-04-13 Research depth: deep

References (9)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1583.005 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Related Detections

Parent Technique

T1583Acquire Infrastructure

Related Sub-techniques

T1583.001Domains T1583.002DNS Server T1583.003Virtual Private Server T1583.004Server T1583.006Web Services T1583.007Serverless T1583.008Malvertising

Botnet

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Resource Development

Popular Detections