Detect Botnet in CrowdStrike LogScale
Adversaries may buy, lease, or rent a network of compromised systems (botnet) to use during targeting. Botnets provide adversaries with scalable infrastructure for phishing campaigns, DDoS attacks, credential stuffing, and covert C2 relay via Operational Relay Box (ORB) networks. Detection pivots from the unobservable acquisition event itself to observable usage patterns: volumetric inbound attacks against organizational infrastructure, internal hosts exhibiting botnet C2 beaconing behavior, ORB relay traffic routing through VPS/SOHO/IoT IP space, and DNS query patterns consistent with botnet domain generation or C2 resolution.
MITRE ATT&CK
- Tactic
- Resource Development
- Technique
- T1583 Acquire Infrastructure
- Sub-technique
- T1583.005 Botnet
- Canonical reference
- https://attack.mitre.org/techniques/T1583/005/
LogScale Detection Query
// === QUERY 1: C2 Beaconing via NetworkConnectIP4 Events ===
#event_simpleName=NetworkConnectIP4
| RemoteAddressIP4 != /^(10\.|172\.(1[6-9]|2[0-9]|3[01])\.|192\.168\.|127\.|169\.254\.)/
| RemotePort != 80 RemotePort != 443 RemotePort != 53
| ImageFileName != /\\(chrome|firefox|msedge|MicrosoftEdge|Teams|OneDrive|outlook|svchost|SearchIndexer|MicrosoftEdgeUpdate)\.exe$/i
| groupBy([ComputerName, UserName, ImageFileName, ContextProcessId, RemoteAddressIP4, RemotePort],
function=[
count(as=connection_count),
min(timestamp, as=first_seen),
max(timestamp, as=last_seen),
collect(CommandLine, limit=1, as=sample_cmdline)
])
| connection_count >= 12
| eval duration_minutes = (last_seen - first_seen) / 60000
| duration_minutes >= 30
| eval connections_per_hour = connection_count / (duration_minutes / 60)
| connections_per_hour >= 4 connections_per_hour <= 120
| eval beacon_score = case(
connection_count > 100 AND duration_minutes > 120, "Critical",
connection_count > 50, "High",
connection_count > 20, "Medium",
true(), "Low"
)
| table([first_seen, last_seen, ComputerName, UserName, ImageFileName, ContextProcessId,
RemoteAddressIP4, RemotePort, connection_count, duration_minutes, connections_per_hour,
beacon_score, sample_cmdline])
| sort(connection_count, order=desc)
// === QUERY 2: DNS Requests to High-Entropy / Possible DGA Domains ===
// #event_simpleName=DnsRequest
// | DomainName != /\.(microsoft|windows|office|google|apple|amazon|akamai|cloudflare|fastly)\.com$/i
// | eval domain_len = length(DomainName)
// | domain_len > 20
// | groupBy([ComputerName, ImageFileName],
// function=[count(as=query_count), countDistinct(DomainName, as=unique_domains)])
// | unique_domains > 20 query_count > 50
// | sort(unique_domains, order=desc)
// === QUERY 3: ORB Relay — Host Bridging Inbound and Outbound External Connections ===
// Step 1: Identify hosts with inbound external connections
#event_simpleName=NetworkReceiveAcceptIP4
| RemoteAddressIP4 != /^(10\.|172\.(1[6-9]|2[0-9]|3[01])\.|192\.168\.|127\.|169\.254\.)/
| groupBy([ComputerName, aid],
function=[
count(as=inbound_count),
collect(RemoteAddressIP4, limit=10, as=inbound_sources)
])
| inbound_count >= 1
| join(
// Step 2: Hosts with outbound external connections on non-standard ports
{#event_simpleName=NetworkConnectIP4
| RemoteAddressIP4 != /^(10\.|172\.(1[6-9]|2[0-9]|3[01])\.|192\.168\.|127\.|169\.254\.)/
| RemotePort != 80 RemotePort != 443 RemotePort != 53
| groupBy([ComputerName, aid],
function=[
count(as=outbound_count),
collect(RemoteAddressIP4, limit=10, as=outbound_targets),
collect(ImageFileName, limit=5, as=processes)
])
| outbound_count >= 3},
field=aid, include=[outbound_count, outbound_targets, processes]
)
| eval relay_score = case(
inbound_count > 10 AND outbound_count > 10, "Critical",
inbound_count > 5 OR outbound_count > 5, "High",
true(), "Medium"
)
| table([ComputerName, inbound_count, inbound_sources, outbound_count, outbound_targets, processes, relay_score])
| sort(outbound_count, order=desc)Three CrowdStrike LogScale (Falcon) CQL queries for T1583.005 Botnet detection using Falcon telemetry: (1) NetworkConnectIP4 event aggregation to identify C2 beaconing by grouping connections per process/destination and filtering on connection rate (4-120/hr) with minimum 12 connections over 30+ minutes on non-standard ports, excluding browsers; (2) commented DnsRequest query for DGA domain detection via high unique domain count from single process; (3) ORB relay detection using join between NetworkReceiveAcceptIP4 (inbound) and NetworkConnectIP4 (outbound) events to identify hosts bridging external traffic, scored by relay volume.
Data Sources
Required Tables
False Positives & Tuning
- Falcon sensor itself or other EDR agents making regular telemetry uploads to Falcon cloud infrastructure on non-standard ports
- Software deployment tools (PDQ Deploy, Ansible, Chef) making repeated connections to managed endpoints in patterns resembling C2 polling
- Custom enterprise application health monitors or watchdog processes that poll external status APIs at fixed intervals
- Legitimate peer-to-peer applications or torrent clients that maintain multiple external connections at consistent rates
- Industrial IoT or OT systems with SCADA/HMI polling protocols that use non-standard ports and fixed polling intervals
Other platforms for T1583.005
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Simulate C2 Beaconing — Regular Periodic Outbound Connections
Expected signal: Sysmon Event ID 3 (Network Connection): 30 events from powershell.exe connecting to 127.0.0.1:8080 at regular ~10-second intervals. KQL DeviceNetworkEvents will show ConnectionCount=30, DurationMinutes=~5, ConnectionsPerHour=~360. The connection will fail (connection refused) if no listener is running, but Sysmon will still log the attempt if configured with network monitoring.
- Test 2Simulate ORB Relay Behavior — Inbound-then-Outbound Network Pattern
Expected signal: Sysmon Event ID 3: two network connection events from powershell.exe within the 5-minute correlation window — one inbound accepted connection (or attempt) on port 19876, and one outbound connection to 8.8.8.8:53. The join query in KQL correlates these events by DeviceName within the TimeWindow variable.
- Test 3Connect to IRC-Protocol Port — Botnet C2 Channel Simulation
Expected signal: Sysmon Event ID 3: network connection from powershell.exe to port 6667. DeviceNetworkEvents: RemotePort=6667, InitiatingProcessFileName=powershell.exe. Note: 127.0.0.1 is excluded from the detection queries as a private IP — to validate the detection pipeline, point this at a controlled external test host on port 6667.
- Test 4Mass External Connection Simulation — Botnet Spreader Behavior
Expected signal: Sysmon Event ID 3: multiple network connection events from powershell.exe to 30 unique IPs in the 203.0.113.0/24 range (TEST-NET-3, RFC 5737 documentation range — routable but safe for testing) on port 22. KQL DeviceNetworkEvents will show InitiatingProcessFileName=powershell.exe with UniqueExternalIPs=30.
References (9)
- https://attack.mitre.org/techniques/T1583/005/
- https://us.norton.com/internetsecurity-malware-what-is-a-botnet.html
- https://www.imperva.com/learn/ddos/booters-stressers-ddosers/
- https://cloud.google.com/blog/topics/threat-intelligence/china-nexus-espionage-orb-networks
- https://krebsonsecurity.com/2017/01/who-is-anna-senpai-the-mirai-worm-author/
- https://krebsonsecurity.com/2016/10/hackforums-shutters-booter-service-bazaar/
- https://krebsonsecurity.com/2016/10/are-the-days-of-booter-services-numbered/
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-devicenetworkevents-table
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1583.005/T1583.005.md
Unlock Pro Content
Get the full detection package for T1583.005 including response playbook, investigation guide, and atomic red team tests.