Detect Botnet in Sumo Logic CSE
Adversaries may buy, lease, or rent a network of compromised systems (botnet) to use during targeting. Botnets provide adversaries with scalable infrastructure for phishing campaigns, DDoS attacks, credential stuffing, and covert C2 relay via Operational Relay Box (ORB) networks. Detection pivots from the unobservable acquisition event itself to observable usage patterns: volumetric inbound attacks against organizational infrastructure, internal hosts exhibiting botnet C2 beaconing behavior, ORB relay traffic routing through VPS/SOHO/IoT IP space, and DNS query patterns consistent with botnet domain generation or C2 resolution.
MITRE ATT&CK
- Tactic
- Resource Development
- Technique
- T1583 Acquire Infrastructure
- Sub-technique
- T1583.005 Botnet
- Canonical reference
- https://attack.mitre.org/techniques/T1583/005/
Sumo Detection Query
// === QUERY 1: C2 Beaconing Detection via Sysmon Network Events ===
_sourceCategory=windows/sysmon EventCode=3
| where !(DestinationIp matches /^10\./ or DestinationIp matches /^172\.(1[6-9]|2[0-9]|3[01])\./ or DestinationIp matches /^192\.168\./ or DestinationIp matches /^127\./ or DestinationIp matches /^169\.254\./)
| where !(Image matches /\\(chrome|firefox|msedge|Teams|OneDrive|outlook|svchost|SearchIndexer|MicrosoftEdgeUpdate)\.exe$/)
| where DestinationPort != 80 and DestinationPort != 443 and DestinationPort != 53
| timeslice 1h
| stats count as connection_count, min(_messageTime) as first_seen, max(_messageTime) as last_seen, count_distinct(DestinationPort) as unique_ports by _timeslice, Computer, Image, SourceIp, DestinationIp
| where connection_count >= 12
| eval duration_minutes = round((last_seen - first_seen) / 60000, 1)
| where duration_minutes >= 30
| eval connections_per_hour = round(connection_count / (duration_minutes / 60), 1)
| where connections_per_hour >= 4 and connections_per_hour <= 120
| eval beacon_score = if(connection_count > 100, "Critical", if(connection_count > 50, "High", if(connection_count > 20, "Medium", "Low")))
| fields _timeslice, Computer, Image, SourceIp, DestinationIp, connection_count, duration_minutes, connections_per_hour, beacon_score
| sort by connection_count desc
// === QUERY 2: DNS Query Volume Spike — Possible DGA/Botnet Resolver ===
// _sourceCategory=windows/sysmon EventCode=22
// | count as query_count, count_distinct(QueryName) as unique_domains by Computer, Image
// | where query_count > 50 and unique_domains > 20
// | sort by unique_domains desc
// === QUERY 3: Inbound Volumetric Attack from Distributed Sources (Network/Firewall logs) ===
// _sourceCategory=network/firewall
// | where action != "deny" and action != "drop" and action != "block"
// | where dest_port in (80, 443, 8080, 8443, 22, 3389, 25, 587)
// | timeslice 5m
// | stats count_distinct(src_ip) as unique_src_ips, count as total_connections by _timeslice, dest_ip, dest_port
// | where unique_src_ips > 50 and total_connections > 500
// | eval attack_type = if(dest_port in (80,443,8080,8443), "HTTP Flood", if(dest_port in (22,3389), "Credential Stuffing", "Volumetric Flood"))
// | sort by unique_src_ips desc
// === QUERY 4: ORB Relay — Host Bridging External Inbound to External Outbound ===
// Run two queries and correlate with join or lookup
_sourceCategory=windows/sysmon EventCode=3
| where !(SourceIp matches /^10\./ or SourceIp matches /^172\.(1[6-9]|2[0-9]|3[01])\./ or SourceIp matches /^192\.168\./)
| where !(DestinationIp matches /^10\./ or DestinationIp matches /^172\.(1[6-9]|2[0-9]|3[01])\./ or DestinationIp matches /^192\.168\./)
| where DestinationPort != 80 and DestinationPort != 443 and DestinationPort != 53
| count as relay_events, count_distinct(SourceIp) as inbound_sources, count_distinct(DestinationIp) as outbound_targets by Computer, Image
| where relay_events >= 3 and inbound_sources >= 1 and outbound_targets >= 1
| sort by relay_events descFour Sumo Logic CQL queries targeting T1583.005 Botnet behavior: (1) Sysmon EventCode=3 network connection beaconing detection using time-bucketed stats to identify processes making 12+ regular outbound connections at 4-120 per hour to the same external IP on non-standard ports; (2) commented DNS DGA detection using EventCode=22 for high-entropy/volume domain lookups; (3) commented firewall log volumetric inbound attack detection; (4) ORB relay approximation using Sysmon EventCode=3 to find hosts actively bridging external inbound and outbound traffic.
Data Sources
Required Tables
False Positives & Tuning
- RMM tools (ConnectWise Control, TeamViewer, AnyDesk) making regular heartbeat connections to relay infrastructure on non-standard ports, producing both inbound and outbound relay-like patterns
- Windows Update or WSUS agents checking multiple update servers in sequence with consistent intervals
- Antivirus or EDR solutions performing regular telemetry uploads to cloud endpoints at fixed scheduled intervals
- Multi-homed servers or dual-NIC hosts that legitimately bridge network segments, generating traffic patterns similar to ORB relay detection
- Content delivery network (CDN) edge nodes or anycast infrastructure that receive and forward requests as part of normal operation
Other platforms for T1583.005
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Simulate C2 Beaconing — Regular Periodic Outbound Connections
Expected signal: Sysmon Event ID 3 (Network Connection): 30 events from powershell.exe connecting to 127.0.0.1:8080 at regular ~10-second intervals. KQL DeviceNetworkEvents will show ConnectionCount=30, DurationMinutes=~5, ConnectionsPerHour=~360. The connection will fail (connection refused) if no listener is running, but Sysmon will still log the attempt if configured with network monitoring.
- Test 2Simulate ORB Relay Behavior — Inbound-then-Outbound Network Pattern
Expected signal: Sysmon Event ID 3: two network connection events from powershell.exe within the 5-minute correlation window — one inbound accepted connection (or attempt) on port 19876, and one outbound connection to 8.8.8.8:53. The join query in KQL correlates these events by DeviceName within the TimeWindow variable.
- Test 3Connect to IRC-Protocol Port — Botnet C2 Channel Simulation
Expected signal: Sysmon Event ID 3: network connection from powershell.exe to port 6667. DeviceNetworkEvents: RemotePort=6667, InitiatingProcessFileName=powershell.exe. Note: 127.0.0.1 is excluded from the detection queries as a private IP — to validate the detection pipeline, point this at a controlled external test host on port 6667.
- Test 4Mass External Connection Simulation — Botnet Spreader Behavior
Expected signal: Sysmon Event ID 3: multiple network connection events from powershell.exe to 30 unique IPs in the 203.0.113.0/24 range (TEST-NET-3, RFC 5737 documentation range — routable but safe for testing) on port 22. KQL DeviceNetworkEvents will show InitiatingProcessFileName=powershell.exe with UniqueExternalIPs=30.
References (9)
- https://attack.mitre.org/techniques/T1583/005/
- https://us.norton.com/internetsecurity-malware-what-is-a-botnet.html
- https://www.imperva.com/learn/ddos/booters-stressers-ddosers/
- https://cloud.google.com/blog/topics/threat-intelligence/china-nexus-espionage-orb-networks
- https://krebsonsecurity.com/2017/01/who-is-anna-senpai-the-mirai-worm-author/
- https://krebsonsecurity.com/2016/10/hackforums-shutters-booter-service-bazaar/
- https://krebsonsecurity.com/2016/10/are-the-days-of-booter-services-numbered/
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-devicenetworkevents-table
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1583.005/T1583.005.md
Unlock Pro Content
Get the full detection package for T1583.005 including response playbook, investigation guide, and atomic red team tests.