T1583.005 Elastic Security · Elastic

Detect Botnet in Elastic Security

Adversaries may buy, lease, or rent a network of compromised systems (botnet) to use during targeting. Botnets provide adversaries with scalable infrastructure for phishing campaigns, DDoS attacks, credential stuffing, and covert C2 relay via Operational Relay Box (ORB) networks. Detection pivots from the unobservable acquisition event itself to observable usage patterns: volumetric inbound attacks against organizational infrastructure, internal hosts exhibiting botnet C2 beaconing behavior, ORB relay traffic routing through VPS/SOHO/IoT IP space, and DNS query patterns consistent with botnet domain generation or C2 resolution.

MITRE ATT&CK

Tactic
Resource Development
Technique
T1583 Acquire Infrastructure
Sub-technique
T1583.005 Botnet
Canonical reference
https://attack.mitre.org/techniques/T1583/005/

Elastic Detection Query

Elastic Security (Elastic)
eql 
// === QUERY 1: Botnet C2 Beaconing from Internal Host ===
sequence by host.name, process.entity_id, destination.ip with maxspan=24h
  [network where event.type == "connection" and event.outcome == "success"
   and network.direction == "outbound"
   and not destination.ip : ("10.*", "172.16.*", "172.17.*", "172.18.*", "172.19.*",
     "172.20.*", "172.21.*", "172.22.*", "172.23.*", "172.24.*", "172.25.*",
     "172.26.*", "172.27.*", "172.28.*", "172.29.*", "172.30.*", "172.31.*",
     "192.168.*", "127.*", "169.254.*", "::1", "fc00::/7")
   and not destination.port in (80, 443, 53)
   and not process.name in ("chrome.exe", "firefox.exe", "msedge.exe", "Teams.exe",
     "OneDrive.exe", "outlook.exe", "svchost.exe", "SearchIndexer.exe",
     "MicrosoftEdgeUpdate.exe")] with runs=12

// === QUERY 2: Inbound Volumetric Botnet Attack Pattern ===
// Aggregate approach — use this as an ES|QL query in Kibana
// FROM logs-*
// | WHERE event.category == "network" AND network.direction == "inbound"
// | WHERE destination.port in (80, 443, 8080, 8443, 22, 3389, 25, 587)
// | STATS unique_src = COUNT_DISTINCT(source.ip), total = COUNT() BY destination.ip, destination.port
// | WHERE unique_src > 50 AND total > 500

// === QUERY 3: ORB Relay — Host Relaying Between External IPs ===
sequence by host.name with maxspan=5m
  [network where event.type == "connection"
   and network.direction == "inbound"
   and not source.ip : ("10.*", "172.16.*", "172.17.*", "172.18.*", "172.19.*",
     "172.20.*", "172.21.*", "172.22.*", "172.23.*", "172.24.*", "172.25.*",
     "172.26.*", "172.27.*", "172.28.*", "172.29.*", "172.30.*", "172.31.*",
     "192.168.*", "127.*")] as e1
  [network where event.type == "connection"
   and network.direction == "outbound"
   and not destination.ip : ("10.*", "172.16.*", "172.17.*", "172.18.*", "172.19.*",
     "172.20.*", "172.21.*", "172.22.*", "172.23.*", "172.24.*", "172.25.*",
     "172.26.*", "172.27.*", "172.28.*", "172.29.*", "172.30.*", "172.31.*",
     "192.168.*", "127.*")
   and not destination.port in (80, 443, 53)
   and destination.ip != e1.source.ip] as e2
high severity medium confidence

Three detection patterns for T1583.005 Botnet usage: (1) EQL sequence detecting C2 beaconing via 12+ repeated connections to same external IP/port combination from a non-browser process, characteristic of fixed-interval botnet C2 polling; (2) commented ES|QL aggregate for volumetric inbound attack detection across perimeter-exposed ports; (3) ORB relay detection using sequence join to identify hosts that accept external inbound then immediately initiate outbound to a different external IP within 5 minutes.

Data Sources

Elastic Endpoint SecurityWindows Event Logs via Elastic AgentNetwork packet capture via PacketbeatZeek/Suricata network logs

Required Tables

logs-endpoint.events.network-*logs-network_traffic.*logs-system.security-*

False Positives & Tuning

  • Legitimate backup or sync software (e.g., Veeam, Carbonite) making regular scheduled connections to cloud endpoints at consistent intervals
  • Remote monitoring and management (RMM) agents such as ConnectWise, Datto, or Kaseya that beacon home at fixed intervals
  • Custom enterprise monitoring agents or heartbeat services that poll a central collector on non-standard ports
  • VPN concentrators or SD-WAN appliances that maintain persistent tunnels to peer nodes, appearing as inbound+outbound relay traffic
  • Tor exit nodes or anonymizing proxies legitimately deployed in the environment for research purposes
Download portable Sigma rule (.yml)

Other platforms for T1583.005

Microsoft Sentinel (KQL) Splunk (SPL) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Simulate C2 Beaconing — Regular Periodic Outbound Connections

    Expected signal: Sysmon Event ID 3 (Network Connection): 30 events from powershell.exe connecting to 127.0.0.1:8080 at regular ~10-second intervals. KQL DeviceNetworkEvents will show ConnectionCount=30, DurationMinutes=~5, ConnectionsPerHour=~360. The connection will fail (connection refused) if no listener is running, but Sysmon will still log the attempt if configured with network monitoring.

  2. Test 2Simulate ORB Relay Behavior — Inbound-then-Outbound Network Pattern

    Expected signal: Sysmon Event ID 3: two network connection events from powershell.exe within the 5-minute correlation window — one inbound accepted connection (or attempt) on port 19876, and one outbound connection to 8.8.8.8:53. The join query in KQL correlates these events by DeviceName within the TimeWindow variable.

  3. Test 3Connect to IRC-Protocol Port — Botnet C2 Channel Simulation

    Expected signal: Sysmon Event ID 3: network connection from powershell.exe to port 6667. DeviceNetworkEvents: RemotePort=6667, InitiatingProcessFileName=powershell.exe. Note: 127.0.0.1 is excluded from the detection queries as a private IP — to validate the detection pipeline, point this at a controlled external test host on port 6667.

  4. Test 4Mass External Connection Simulation — Botnet Spreader Behavior

    Expected signal: Sysmon Event ID 3: multiple network connection events from powershell.exe to 30 unique IPs in the 203.0.113.0/24 range (TEST-NET-3, RFC 5737 documentation range — routable but safe for testing) on port 22. KQL DeviceNetworkEvents will show InitiatingProcessFileName=powershell.exe with UniqueExternalIPs=30.

Last updated: 2026-04-13 Research depth: deep
References (9)

Unlock Pro Content

Get the full detection package for T1583.005 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1583Acquire Infrastructure

Related Sub-techniques

T1583.001DomainsT1583.002DNS ServerT1583.003Virtual Private ServerT1583.004ServerT1583.006Web ServicesT1583.007ServerlessT1583.008Malvertising

Related Techniques

T1583Acquire InfrastructureT1583.003Virtual Private ServerT1583.004ServerT1090ProxyT1090.002External ProxyT1665Hide InfrastructureT1566PhishingT1498Network Denial of ServiceT1498.001Direct Network FloodT1595.002Vulnerability ScanningT1110.003Password SprayingT1584.008Network Devices

Same Tactic: Resource Development

Popular Detections