T1583.005 Google Chronicle · YARA-L

Detect Botnet in Google Chronicle

Adversaries may buy, lease, or rent a network of compromised systems (botnet) to use during targeting. Botnets provide adversaries with scalable infrastructure for phishing campaigns, DDoS attacks, credential stuffing, and covert C2 relay via Operational Relay Box (ORB) networks. Detection pivots from the unobservable acquisition event itself to observable usage patterns: volumetric inbound attacks against organizational infrastructure, internal hosts exhibiting botnet C2 beaconing behavior, ORB relay traffic routing through VPS/SOHO/IoT IP space, and DNS query patterns consistent with botnet domain generation or C2 resolution.

MITRE ATT&CK

Tactic
Resource Development
Technique
T1583 Acquire Infrastructure
Sub-technique
T1583.005 Botnet
Canonical reference
https://attack.mitre.org/techniques/T1583/005/

YARA-L Detection Query

Google Chronicle (YARA-L)
yaral 
rule botnet_c2_beaconing_internal_host {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects botnet C2 beaconing behavior: internal process making 10+ repeated outbound connections to the same external IP on non-standard ports at regular intervals (4-120/hr), characteristic of fixed-interval C2 polling"
    mitre_attack_tactic = "Resource Development"
    mitre_attack_technique = "T1583.005"
    severity = "HIGH"
    priority = "HIGH"

  events:
    $e.metadata.event_type = "NETWORK_CONNECTION"
    $e.network.direction = "OUTBOUND"
    $e.principal.ip = $src_ip
    $e.target.ip = $dst_ip
    $e.target.port = $dst_port
    $e.principal.process.file.full_path = $proc_path

    // Exclude RFC1918 / loopback / APIPA destinations
    not net.ip_in_range_cidr($e.target.ip, "10.0.0.0/8")
    not net.ip_in_range_cidr($e.target.ip, "172.16.0.0/12")
    not net.ip_in_range_cidr($e.target.ip, "192.168.0.0/16")
    not net.ip_in_range_cidr($e.target.ip, "127.0.0.0/8")
    not net.ip_in_range_cidr($e.target.ip, "169.254.0.0/16")

    // Exclude common browser and trusted system processes
    not re.regex($e.principal.process.file.full_path,
      `(?i)(chrome\.exe|firefox\.exe|msedge\.exe|Teams\.exe|OneDrive\.exe|outlook\.exe|svchost\.exe|SearchIndexer\.exe|MicrosoftEdgeUpdate\.exe)$`)

    // Exclude standard web/DNS ports
    $e.target.port != 80
    $e.target.port != 443
    $e.target.port != 53

  match:
    $src_ip, $dst_ip, $dst_port, $proc_path over 1h

  outcome:
    $connection_count = count_distinct($e.metadata.id)
    $sample_process = array_distinct($e.principal.process.file.full_path)
    $beacon_score = if($connection_count > 100, "Critical",
      if($connection_count > 50, "High",
        if($connection_count > 20, "Medium", "Low")))

  condition:
    #e >= 12
}

rule botnet_orb_relay_detection {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects ORB (Operational Relay Box) network relay behavior: host accepts external inbound connection then initiates outbound connection to different external IP within 5 minutes, indicating potential botnet relay node compromise"
    mitre_attack_tactic = "Resource Development"
    mitre_attack_technique = "T1583.005"
    severity = "CRITICAL"
    priority = "HIGH"

  events:
    // Inbound connection from external source
    $inbound.metadata.event_type = "NETWORK_CONNECTION"
    $inbound.network.direction = "INBOUND"
    $inbound.principal.ip = $ext_src_ip
    $inbound.target.ip = $relay_host_ip
    not net.ip_in_range_cidr($inbound.principal.ip, "10.0.0.0/8")
    not net.ip_in_range_cidr($inbound.principal.ip, "172.16.0.0/12")
    not net.ip_in_range_cidr($inbound.principal.ip, "192.168.0.0/16")
    not net.ip_in_range_cidr($inbound.principal.ip, "127.0.0.0/8")

    // Outbound connection to different external target from same host
    $outbound.metadata.event_type = "NETWORK_CONNECTION"
    $outbound.network.direction = "OUTBOUND"
    $outbound.principal.ip = $relay_host_ip
    $outbound.target.ip = $ext_dst_ip
    not net.ip_in_range_cidr($outbound.target.ip, "10.0.0.0/8")
    not net.ip_in_range_cidr($outbound.target.ip, "172.16.0.0/12")
    not net.ip_in_range_cidr($outbound.target.ip, "192.168.0.0/16")
    not net.ip_in_range_cidr($outbound.target.ip, "127.0.0.0/8")
    $outbound.target.port != 80
    $outbound.target.port != 443
    $outbound.target.port != 53

    // Inbound source and outbound destination must differ (true relay)
    $ext_src_ip != $ext_dst_ip

  match:
    $relay_host_ip over 5m

  outcome:
    $relay_events = count_distinct($outbound.metadata.id)
    $inbound_sources = array_distinct($ext_src_ip)
    $outbound_targets = array_distinct($ext_dst_ip)

  condition:
    #outbound >= 3 and #inbound >= 1
}
high severity medium confidence

Two Chronicle YARA-L 2.0 rules for T1583.005 Botnet detection using UDM normalized network events: (1) botnet_c2_beaconing_internal_host correlates 12+ outbound connections from the same source process to the same external IP/port combination within a 1-hour window, excluding browser processes and standard ports, with severity scoring based on connection count; (2) botnet_orb_relay_detection identifies hosts acting as relay nodes by detecting inbound external connections followed within 5 minutes by outbound connections to different external IPs, a hallmark of ORB network compromise.

Data Sources

Google Chronicle UDM with Endpoint Detection telemetryWindows event forwarding via Chronicle forwarderNetwork flow logs ingested to ChroniclePalo Alto or Fortinet firewall logs normalized to UDM

Required Tables

UDM events with event_type NETWORK_CONNECTIONUDM events with network.direction INBOUND/OUTBOUND

False Positives & Tuning

  • Automated CI/CD pipeline agents making repeated connections to artifact repositories or build servers at scheduled intervals
  • Corporate proxy or load balancer appliances that receive inbound client connections and forward to backend pools, appearing as relay nodes
  • Remote access tools with persistent heartbeat connections to relay infrastructure outside standard ports (e.g., Cloudflare Tunnel, ngrok)
  • Network monitoring systems that actively poll multiple external endpoints for uptime checks at regular intervals
  • Cloud-synced collaboration tools with custom relay infrastructure on non-standard ports (e.g., enterprise Zoom, Webex with dedicated ports)
Download portable Sigma rule (.yml)

Other platforms for T1583.005

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Simulate C2 Beaconing — Regular Periodic Outbound Connections

    Expected signal: Sysmon Event ID 3 (Network Connection): 30 events from powershell.exe connecting to 127.0.0.1:8080 at regular ~10-second intervals. KQL DeviceNetworkEvents will show ConnectionCount=30, DurationMinutes=~5, ConnectionsPerHour=~360. The connection will fail (connection refused) if no listener is running, but Sysmon will still log the attempt if configured with network monitoring.

  2. Test 2Simulate ORB Relay Behavior — Inbound-then-Outbound Network Pattern

    Expected signal: Sysmon Event ID 3: two network connection events from powershell.exe within the 5-minute correlation window — one inbound accepted connection (or attempt) on port 19876, and one outbound connection to 8.8.8.8:53. The join query in KQL correlates these events by DeviceName within the TimeWindow variable.

  3. Test 3Connect to IRC-Protocol Port — Botnet C2 Channel Simulation

    Expected signal: Sysmon Event ID 3: network connection from powershell.exe to port 6667. DeviceNetworkEvents: RemotePort=6667, InitiatingProcessFileName=powershell.exe. Note: 127.0.0.1 is excluded from the detection queries as a private IP — to validate the detection pipeline, point this at a controlled external test host on port 6667.

  4. Test 4Mass External Connection Simulation — Botnet Spreader Behavior

    Expected signal: Sysmon Event ID 3: multiple network connection events from powershell.exe to 30 unique IPs in the 203.0.113.0/24 range (TEST-NET-3, RFC 5737 documentation range — routable but safe for testing) on port 22. KQL DeviceNetworkEvents will show InitiatingProcessFileName=powershell.exe with UniqueExternalIPs=30.

Last updated: 2026-04-13 Research depth: deep
References (9)

Unlock Pro Content

Get the full detection package for T1583.005 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1583Acquire Infrastructure

Related Sub-techniques

T1583.001DomainsT1583.002DNS ServerT1583.003Virtual Private ServerT1583.004ServerT1583.006Web ServicesT1583.007ServerlessT1583.008Malvertising

Related Techniques

T1583Acquire InfrastructureT1583.003Virtual Private ServerT1583.004ServerT1090ProxyT1090.002External ProxyT1665Hide InfrastructureT1566PhishingT1498Network Denial of ServiceT1498.001Direct Network FloodT1595.002Vulnerability ScanningT1110.003Password SprayingT1584.008Network Devices

Same Tactic: Resource Development

Popular Detections