Detect Botnet in Splunk
Adversaries may buy, lease, or rent a network of compromised systems (botnet) to use during targeting. Botnets provide adversaries with scalable infrastructure for phishing campaigns, DDoS attacks, credential stuffing, and covert C2 relay via Operational Relay Box (ORB) networks. Detection pivots from the unobservable acquisition event itself to observable usage patterns: volumetric inbound attacks against organizational infrastructure, internal hosts exhibiting botnet C2 beaconing behavior, ORB relay traffic routing through VPS/SOHO/IoT IP space, and DNS query patterns consistent with botnet domain generation or C2 resolution.
MITRE ATT&CK
- Tactic
- Resource Development
- Technique
- T1583 Acquire Infrastructure
- Sub-technique
- T1583.005 Botnet
- Canonical reference
- https://attack.mitre.org/techniques/T1583/005/
SPL Detection Query
| comment "=== QUERY 1: C2 Beaconing from Internal Host via Sysmon Network Events ==="
index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=3
NOT (DestinationIp="10.*" OR DestinationIp="172.16.*" OR DestinationIp="172.17.*"
OR DestinationIp="172.18.*" OR DestinationIp="172.19.*" OR DestinationIp="172.20.*"
OR DestinationIp="172.21.*" OR DestinationIp="172.22.*" OR DestinationIp="172.23.*"
OR DestinationIp="172.24.*" OR DestinationIp="172.25.*" OR DestinationIp="172.26.*"
OR DestinationIp="172.27.*" OR DestinationIp="172.28.*" OR DestinationIp="172.29.*"
OR DestinationIp="172.30.*" OR DestinationIp="172.31.*"
OR DestinationIp="192.168.*" OR DestinationIp="127.*" OR DestinationIp="169.254.*")
NOT (Image="*\\chrome.exe" OR Image="*\\firefox.exe" OR Image="*\\msedge.exe"
OR Image="*\\Teams.exe" OR Image="*\\OneDrive.exe" OR Image="*\\outlook.exe")
NOT (DestinationPort=80 OR DestinationPort=443 OR DestinationPort=53)
| eval hour_bucket=strftime(_time, "%Y-%m-%d %H")
| stats
count as connection_count,
earliest(_time) as first_seen,
latest(_time) as last_seen,
dc(DestinationPort) as unique_ports,
values(DestinationPort) as ports
by host, Image, SourceIp, DestinationIp, hour_bucket
| where connection_count >= 8
| eval duration_minutes=round((last_seen - first_seen) / 60, 1)
| eval connections_per_hour=round(connection_count / (duration_minutes / 60), 1)
| where connections_per_hour >= 4 AND connections_per_hour <= 120
| eval beacon_score=case(
connection_count > 100, "Critical",
connection_count > 50, "High",
connection_count > 20, "Medium",
1=1, "Low"
)
| table hour_bucket, host, Image, SourceIp, DestinationIp, ports, connection_count, duration_minutes, connections_per_hour, beacon_score
| sort - connection_count
`comment("=== QUERY 2: DNS Queries to Botnet / DGA Domains ===")`
`comment("Detects DNS lookups matching DGA patterns: short TTL, high entropy, many unique FQDNs to same registrar")`
`comment("index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=22")`
`comment("| eval domain_length=len(QueryName)")`
`comment("| eval label_count=mvcount(split(QueryName, "."))")`
`comment("| where domain_length > 20 AND label_count >= 3")`
`comment("| stats count as query_count, dc(QueryName) as unique_domains, values(QueryName) as queried_names by host, Image")`
`comment("| where unique_domains > 20 AND query_count > 50")`
`comment("| sort - unique_domains")`
`comment("=== QUERY 3: High-Volume Inbound from Distributed Sources (Firewall/Proxy logs) ===")`
`comment("index=network sourcetype=cisco:asa OR sourcetype=palo:traffic action!=deny")`
`comment("| stats dc(src_ip) as unique_src_ips, count as total_connections by dest_ip, dest_port, span(_time, 5m)")`
`comment("| where unique_src_ips > 50 AND total_connections > 500")`
`comment("| eval attack_type=case(dest_port IN("80","443","8080","8443"),"HTTP Flood",dest_port IN("22","3389"),"Cred Stuffing",1=1,"Volumetric")")`
`comment("| sort - unique_src_ips")`Detects botnet-associated behaviors using Sysmon network connection logs. Primary query correlates Sysmon Event ID 3 (Network Connection) to identify non-browser processes making regular periodic connections to the same external IP at frequencies consistent with C2 beacon intervals — a key indicator of botnet infection on internal hosts. Companion queries (provided as comments for environment-specific adaptation) cover DNS-based DGA detection via Sysmon Event ID 22 and volumetric inbound attack detection via firewall/proxy sourcetypes. Confidence is medium due to overlap with legitimate telemetry and update traffic.
Data Sources
Required Sourcetypes
False Positives & Tuning
- Legitimate telemetry and crash reporting services with fixed-interval connections to vendor infrastructure
- Backup and sync agents (Veeam, Acronis, Carbonite) making regular connections to cloud storage endpoints
- VPN and endpoint security agents that beacon home for policy updates and health status
- Enterprise software license managers polling a fixed license server at regular intervals
- Chatbot and help-desk integrations maintaining persistent websocket or long-poll connections
Other platforms for T1583.005
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Simulate C2 Beaconing — Regular Periodic Outbound Connections
Expected signal: Sysmon Event ID 3 (Network Connection): 30 events from powershell.exe connecting to 127.0.0.1:8080 at regular ~10-second intervals. KQL DeviceNetworkEvents will show ConnectionCount=30, DurationMinutes=~5, ConnectionsPerHour=~360. The connection will fail (connection refused) if no listener is running, but Sysmon will still log the attempt if configured with network monitoring.
- Test 2Simulate ORB Relay Behavior — Inbound-then-Outbound Network Pattern
Expected signal: Sysmon Event ID 3: two network connection events from powershell.exe within the 5-minute correlation window — one inbound accepted connection (or attempt) on port 19876, and one outbound connection to 8.8.8.8:53. The join query in KQL correlates these events by DeviceName within the TimeWindow variable.
- Test 3Connect to IRC-Protocol Port — Botnet C2 Channel Simulation
Expected signal: Sysmon Event ID 3: network connection from powershell.exe to port 6667. DeviceNetworkEvents: RemotePort=6667, InitiatingProcessFileName=powershell.exe. Note: 127.0.0.1 is excluded from the detection queries as a private IP — to validate the detection pipeline, point this at a controlled external test host on port 6667.
- Test 4Mass External Connection Simulation — Botnet Spreader Behavior
Expected signal: Sysmon Event ID 3: multiple network connection events from powershell.exe to 30 unique IPs in the 203.0.113.0/24 range (TEST-NET-3, RFC 5737 documentation range — routable but safe for testing) on port 22. KQL DeviceNetworkEvents will show InitiatingProcessFileName=powershell.exe with UniqueExternalIPs=30.
References (9)
- https://attack.mitre.org/techniques/T1583/005/
- https://us.norton.com/internetsecurity-malware-what-is-a-botnet.html
- https://www.imperva.com/learn/ddos/booters-stressers-ddosers/
- https://cloud.google.com/blog/topics/threat-intelligence/china-nexus-espionage-orb-networks
- https://krebsonsecurity.com/2017/01/who-is-anna-senpai-the-mirai-worm-author/
- https://krebsonsecurity.com/2016/10/hackforums-shutters-booter-service-bazaar/
- https://krebsonsecurity.com/2016/10/are-the-days-of-booter-services-numbered/
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-devicenetworkevents-table
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1583.005/T1583.005.md
Unlock Pro Content
Get the full detection package for T1583.005 including response playbook, investigation guide, and atomic red team tests.