Detect Botnet in IBM QRadar
Adversaries may buy, lease, or rent a network of compromised systems (botnet) to use during targeting. Botnets provide adversaries with scalable infrastructure for phishing campaigns, DDoS attacks, credential stuffing, and covert C2 relay via Operational Relay Box (ORB) networks. Detection pivots from the unobservable acquisition event itself to observable usage patterns: volumetric inbound attacks against organizational infrastructure, internal hosts exhibiting botnet C2 beaconing behavior, ORB relay traffic routing through VPS/SOHO/IoT IP space, and DNS query patterns consistent with botnet domain generation or C2 resolution.
MITRE ATT&CK
- Tactic
- Resource Development
- Technique
- T1583 Acquire Infrastructure
- Sub-technique
- T1583.005 Botnet
- Canonical reference
- https://attack.mitre.org/techniques/T1583/005/
QRadar Detection Query
// === QUERY 1: C2 Beaconing — High-Frequency Regular Outbound Connections ===
SELECT
DATEFORMAT(MIN(starttime), 'YYYY-MM-dd HH:mm:ss') AS first_seen,
DATEFORMAT(MAX(starttime), 'YYYY-MM-dd HH:mm:ss') AS last_seen,
sourceip,
destinationip,
destinationport,
LOGSOURCENAME(logsourceid) AS log_source,
COUNT(*) AS connection_count,
LONG((MAX(starttime) - MIN(starttime)) / 60000) AS duration_minutes,
CASE
WHEN COUNT(*) > 100 AND LONG((MAX(starttime) - MIN(starttime)) / 60000) > 120 THEN 'Critical'
WHEN COUNT(*) > 50 THEN 'High'
WHEN COUNT(*) > 20 THEN 'Medium'
ELSE 'Low'
END AS beacon_score
FROM events
WHERE
LOGSOURCETYPEID IN (12, 40, 352, 434)
AND starttime > NOW() - 86400000
AND eventdirection = 1
AND NOT (destinationip INCIDR '10.0.0.0/8'
OR destinationip INCIDR '172.16.0.0/12'
OR destinationip INCIDR '192.168.0.0/16'
OR destinationip INCIDR '127.0.0.0/8'
OR destinationip INCIDR '169.254.0.0/16')
AND destinationport NOT IN (80, 443, 53)
GROUP BY
sourceip, destinationip, destinationport
HAVING
COUNT(*) >= 12
AND LONG((MAX(starttime) - MIN(starttime)) / 60000) >= 30
AND (CAST(COUNT(*) AS FLOAT) / NULLIF(LONG((MAX(starttime) - MIN(starttime)) / 60000), 0) * 60.0) BETWEEN 4 AND 120
ORDER BY connection_count DESC
// === QUERY 2: Volumetric Inbound Attack from Distributed Sources ===
// SELECT
// DATEFORMAT(FLOOR(starttime / 300000) * 300000, 'YYYY-MM-dd HH:mm:ss') AS time_bucket,
// destinationip,
// destinationport,
// COUNT(DISTINCT sourceip) AS unique_source_ips,
// COUNT(*) AS total_connections
// FROM events
// WHERE
// starttime > NOW() - 3600000
// AND eventdirection = 2
// AND destinationport IN (80, 443, 8080, 8443, 22, 3389, 25, 587)
// AND CATEGORYNAME(category) NOT IN ('Deny', 'Drop', 'Block')
// GROUP BY
// FLOOR(starttime / 300000) * 300000, destinationip, destinationport
// HAVING
// COUNT(DISTINCT sourceip) > 50 AND COUNT(*) > 500
// ORDER BY unique_source_ips DESC
// === QUERY 3: ORB Relay Detection — Inbound then Outbound Correlation ===
SELECT
i.destinationip AS relay_host_ip,
i.sourceip AS inbound_source,
o.destinationip AS outbound_target,
o.destinationport AS outbound_port,
DATEFORMAT(i.starttime, 'YYYY-MM-dd HH:mm:ss') AS inbound_time,
DATEFORMAT(o.starttime, 'YYYY-MM-dd HH:mm:ss') AS outbound_time,
LONG((o.starttime - i.starttime) / 1000) AS relay_delay_seconds
FROM events i
INNER JOIN events o
ON i.destinationip = o.sourceip
AND o.starttime BETWEEN i.starttime AND i.starttime + 300000
AND i.sourceip != o.destinationip
WHERE
i.starttime > NOW() - 86400000
AND i.eventdirection = 2
AND NOT (i.sourceip INCIDR '10.0.0.0/8'
OR i.sourceip INCIDR '172.16.0.0/12'
OR i.sourceip INCIDR '192.168.0.0/16')
AND NOT (o.destinationip INCIDR '10.0.0.0/8'
OR o.destinationip INCIDR '172.16.0.0/12'
OR o.destinationip INCIDR '192.168.0.0/16')
AND o.destinationport NOT IN (80, 443, 53)
ORDER BY inbound_time DESCThree AQL queries for T1583.005 Botnet detection in QRadar: (1) Flow/event aggregation identifying C2 beaconing by correlating repeated outbound connections to same external IP/port with connection-rate constraints (4-120/hr) indicating automated polling rather than human browsing; (2) commented volumetric inbound query for DDoS/credential stuffing from distributed source IPs; (3) ORB relay detection using self-join on events table to correlate inbound external connections followed within 5 minutes by outbound connections to different external IPs from the same host.
Data Sources
Required Tables
False Positives & Tuning
- SCCM or patch management systems making frequent scheduled connections to update servers on non-standard ports
- VPN gateway appliances with persistent keepalive tunnels to remote peers generating regular connection events
- Automated vulnerability scanners or asset inventory tools initiating connections to external IP ranges
- Network Address Translation (NAT) devices appearing to relay traffic when internal hosts communicate through them
- Cloud-connected backup appliances with regular replication jobs to fixed cloud endpoints
Other platforms for T1583.005
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Simulate C2 Beaconing — Regular Periodic Outbound Connections
Expected signal: Sysmon Event ID 3 (Network Connection): 30 events from powershell.exe connecting to 127.0.0.1:8080 at regular ~10-second intervals. KQL DeviceNetworkEvents will show ConnectionCount=30, DurationMinutes=~5, ConnectionsPerHour=~360. The connection will fail (connection refused) if no listener is running, but Sysmon will still log the attempt if configured with network monitoring.
- Test 2Simulate ORB Relay Behavior — Inbound-then-Outbound Network Pattern
Expected signal: Sysmon Event ID 3: two network connection events from powershell.exe within the 5-minute correlation window — one inbound accepted connection (or attempt) on port 19876, and one outbound connection to 8.8.8.8:53. The join query in KQL correlates these events by DeviceName within the TimeWindow variable.
- Test 3Connect to IRC-Protocol Port — Botnet C2 Channel Simulation
Expected signal: Sysmon Event ID 3: network connection from powershell.exe to port 6667. DeviceNetworkEvents: RemotePort=6667, InitiatingProcessFileName=powershell.exe. Note: 127.0.0.1 is excluded from the detection queries as a private IP — to validate the detection pipeline, point this at a controlled external test host on port 6667.
- Test 4Mass External Connection Simulation — Botnet Spreader Behavior
Expected signal: Sysmon Event ID 3: multiple network connection events from powershell.exe to 30 unique IPs in the 203.0.113.0/24 range (TEST-NET-3, RFC 5737 documentation range — routable but safe for testing) on port 22. KQL DeviceNetworkEvents will show InitiatingProcessFileName=powershell.exe with UniqueExternalIPs=30.
References (9)
- https://attack.mitre.org/techniques/T1583/005/
- https://us.norton.com/internetsecurity-malware-what-is-a-botnet.html
- https://www.imperva.com/learn/ddos/booters-stressers-ddosers/
- https://cloud.google.com/blog/topics/threat-intelligence/china-nexus-espionage-orb-networks
- https://krebsonsecurity.com/2017/01/who-is-anna-senpai-the-mirai-worm-author/
- https://krebsonsecurity.com/2016/10/hackforums-shutters-booter-service-bazaar/
- https://krebsonsecurity.com/2016/10/are-the-days-of-booter-services-numbered/
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-devicenetworkevents-table
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1583.005/T1583.005.md
Unlock Pro Content
Get the full detection package for T1583.005 including response playbook, investigation guide, and atomic red team tests.