T1584.005 Botnet Detection — KQL & SPL Queries for Sentinel and Splunk

Microsoft Sentinel / Defender

kusto

// Detect systems exhibiting botnet node behavior: beaconing to external IPs with
// regular intervals, IRC C2 port usage, or high-frequency outbound connections
// suggesting DDoS participation or automated bot check-ins.
let LookbackPeriod = 24h;
let MinConnectionsThreshold = 20;
let MinHourlyBuckets = 3;
let BotnetC2Ports = dynamic([6667, 6697, 6660, 6661, 6662, 6663, 6664, 6665, 6666, 6668, 6669, 1080, 4444]);
let PrivateRanges = dynamic(["10.", "172.16.", "172.17.", "172.18.", "172.19.", "172.20.",
  "172.21.", "172.22.", "172.23.", "172.24.", "172.25.", "172.26.", "172.27.", "172.28.",
  "172.29.", "172.30.", "172.31.", "192.168.", "127.", "169.254."]);
DeviceNetworkEvents
| where Timestamp > ago(LookbackPeriod)
| where ActionType in ("ConnectionSuccess", "ConnectionAttempt")
| where RemoteIPType == "Public"
| where not(RemoteIP has_any (PrivateRanges))
// Aggregate per device + remote endpoint to identify repeated connections over time
| summarize
    TotalConnections = count(),
    HourlyBuckets = dcount(bin(Timestamp, 1h)),
    BytesSent = sum(SentBytes),
    BytesReceived = sum(ReceivedBytes),
    FirstSeen = min(Timestamp),
    LastSeen = max(Timestamp),
    Processes = make_set(InitiatingProcessFileName, 10),
    ProcessPaths = make_set(InitiatingProcessFolderPath, 5)
    by DeviceName, AccountName, RemoteIP, RemotePort
| where TotalConnections >= MinConnectionsThreshold
| where HourlyBuckets >= MinHourlyBuckets
| extend
    AvgConnectionsPerHour = round(todouble(TotalConnections) / HourlyBuckets, 1),
    AvgBytesPerConnection = round(todouble(BytesSent + BytesReceived) / TotalConnections, 0),
    DurationHours = datetime_diff('hour', LastSeen, FirstSeen),
    IRCPort = RemotePort in (BotnetC2Ports)
// Score: IRC port use = 3, low-byte high-freq beaconing = 2, high-volume connections = 1
| extend BeaconingScore = case(
    IRCPort == true, 3,
    AvgBytesPerConnection < 500 and AvgConnectionsPerHour > 10, 2,
    TotalConnections > 200 and HourlyBuckets >= 6, 2,
    TotalConnections > 100, 1,
    0
)
| where BeaconingScore >= 1
| project
    FirstSeen, LastSeen, DeviceName, AccountName,
    RemoteIP, RemotePort, IRCPort,
    TotalConnections, HourlyBuckets, AvgConnectionsPerHour,
    AvgBytesPerConnection, BytesSent, BytesReceived,
    DurationHours, BeaconingScore, Processes, ProcessPaths
| sort by BeaconingScore desc, TotalConnections desc

high severity medium confidence

Data Sources

Network Traffic: Network Connection Creation Network Traffic: Network Traffic Flow Microsoft Defender for Endpoint

Required Tables

DeviceNetworkEvents

False Positives

Monitoring and observability agents (Datadog, SolarWinds, PRTG, Zabbix) that check-in to cloud endpoints at regular intervals with small payloads
Software update services and telemetry clients (Windows Update, browser update checks, antivirus cloud lookups) that connect frequently to the same CDN or update endpoint
VoIP and real-time communication platforms that maintain persistent connections with high-frequency keepalives
Gaming clients, streaming services, and P2P applications that maintain persistent external connections
Network management tools or custom scripts that perform frequent health checks against external services

Splunk

spl

index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=3
NOT (DestinationIp="10.*" OR DestinationIp="172.16.*" OR DestinationIp="172.17.*"
     OR DestinationIp="172.18.*" OR DestinationIp="172.19.*" OR DestinationIp="172.20.*"
     OR DestinationIp="172.21.*" OR DestinationIp="172.22.*" OR DestinationIp="172.23.*"
     OR DestinationIp="172.24.*" OR DestinationIp="172.25.*" OR DestinationIp="172.26.*"
     OR DestinationIp="172.27.*" OR DestinationIp="172.28.*" OR DestinationIp="172.29.*"
     OR DestinationIp="172.30.*" OR DestinationIp="172.31.*" OR DestinationIp="192.168.*"
     OR DestinationIp="127.*" OR DestinationIp="169.254.*")
| eval IRCPort=if(match(DestinationPort, "^(6660|6661|6662|6663|6664|6665|6666|6667|6668|6669|6697|4444|1080)$"), 1, 0)
| eval TimeHour=strftime(_time, "%Y-%m-%d %H")
| stats
    count as ConnectionCount,
    dc(TimeHour) as HourlyBuckets,
    max(IRCPort) as IRCPort,
    values(Image) as Processes,
    earliest(_time) as FirstSeen,
    latest(_time) as LastSeen
    by host, SourceIp, DestinationIp, DestinationPort
| where ConnectionCount >= 20 AND HourlyBuckets >= 3
| eval AvgPerHour=round(ConnectionCount / HourlyBuckets, 1)
| eval BeaconingScore=case(
    IRCPort=1, 3,
    AvgPerHour > 10 AND ConnectionCount > 50, 2,
    ConnectionCount > 200, 2,
    ConnectionCount > 100, 1,
    1)
| eval FirstSeen=strftime(FirstSeen, "%Y-%m-%d %H:%M:%S")
| eval LastSeen=strftime(LastSeen, "%Y-%m-%d %H:%M:%S")
| table host, SourceIp, DestinationIp, DestinationPort, ConnectionCount, HourlyBuckets, AvgPerHour, IRCPort, BeaconingScore, Processes, FirstSeen, LastSeen
| sort - BeaconingScore - ConnectionCount

high severity medium confidence

Data Sources

Network Traffic: Network Connection Creation Sysmon Event ID 3

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

Monitoring and observability agents (Datadog, SolarWinds, PRTG, Zabbix) that check-in to cloud endpoints at regular intervals with small payloads
Software update services and telemetry clients (Windows Update, browser update checks, antivirus cloud lookups) that connect frequently to the same CDN or update endpoint
VoIP and real-time communication platforms that maintain persistent connections with high-frequency keepalives
Gaming clients, streaming services, and P2P applications that maintain persistent external connections
Network management tools or custom scripts that perform frequent health checks against external services

Elastic Security (EQL)

eql

// Deploy as Elastic SIEM Threshold Rule: group_by=[host.name, destination.ip, destination.port]
// threshold.value >= 20, threshold.cardinality field=@timestamp (1h bucket) >= 3
// This filters events; the threshold rule engine handles the aggregation and hourly bucket counting
network where event.action in ("connection_attempted", "connection_accepted") and
  network.direction == "egress" and
  not cidrMatch(destination.ip,
    "10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16",
    "127.0.0.0/8", "169.254.0.0/16", "::1/128", "fc00::/7") and
  (
    destination.port in (6667, 6697, 6660, 6661, 6662, 6663, 6664, 6665, 6666, 6668, 6669, 1080, 4444)
    or (
      source.bytes < 1000 and
      not destination.port in (80, 443, 53, 25, 587, 22, 21, 3389, 445, 139, 8080, 8443) and
      process.name != null
    )
  )

high severity medium confidence

Data Sources

Elastic Agent with network event collection Packetbeat Zeek logs via Filebeat Zeek module Auditbeat network events

Required Tables

logs-network.* packetbeat-* filebeat-*-zeek-connection logs-endpoint.events.network-*

False Positives

Legitimate IRC clients used by developer or gaming communities connecting to public IRC networks on standard port 6667 — cross-reference destination IP against known public IRC server ranges and whitelist approved hosts
Authorized SOCKS5 proxy software using port 1080 for enterprise egress routing — verify RemotePort 1080 connections against approved proxy infrastructure inventory before escalating
Application performance monitoring agents with sub-minute heartbeat intervals connecting to SaaS APM endpoints such as Datadog, New Relic, or Dynatrace on non-standard ports — tune exclusions per approved monitoring vendor IP ranges

IBM QRadar (AQL)

sql

SELECT
  sourceip,
  destinationip,
  destinationport,
  COUNT(*) AS connection_count,
  COUNT(DISTINCT DATEFORMAT(starttime, 'yyyy-MM-dd HH')) AS hourly_buckets,
  SUM(bytessent) AS bytes_sent,
  SUM(bytesreceived) AS bytes_received,
  MIN(DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm:ss')) AS first_seen,
  MAX(DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm:ss')) AS last_seen,
  CASE
    WHEN destinationport IN (6660,6661,6662,6663,6664,6665,6666,6667,6668,6669,6697,1080,4444) THEN 3
    WHEN COUNT(*) > 200 THEN 2
    WHEN COUNT(*) > 100 THEN 1
    ELSE 1
  END AS beaconing_score
FROM flows
WHERE
  NOT INCIDR('10.0.0.0/8', destinationip)
  AND NOT INCIDR('172.16.0.0/12', destinationip)
  AND NOT INCIDR('192.168.0.0/16', destinationip)
  AND NOT INCIDR('127.0.0.0/8', destinationip)
  AND NOT INCIDR('169.254.0.0/16', destinationip)
  AND NOT INCIDR('::1/128', destinationip)
GROUP BY sourceip, destinationip, destinationport
HAVING
  COUNT(*) >= 20
  AND COUNT(DISTINCT DATEFORMAT(starttime, 'yyyy-MM-dd HH')) >= 3
ORDER BY beaconing_score DESC, connection_count DESC
LAST 24 HOURS

high severity medium confidence

Data Sources

QRadar Network Activity (NetFlow/IPFIX) QRadar managed firewall log sources Cisco ASA or Palo Alto flow records ingested to QRadar

Required Tables

flows

False Positives

CDN health probes and synthetic monitoring agents generating sustained high-frequency flows from application servers to external monitoring endpoints — add HAVING exclusions for known CDN source IP ranges
Authorized network scanners such as Nessus, Qualys, or Rapid7 Nexpose running credentialed scans from internal hosts to external IP space — correlate sourceip against scanner asset inventory
IRC-based ChatOps bots or DevOps automation tools connecting to authorized IRC servers on port 6667 — create a QRadar reference set of approved IRC server IPs and add NOT REFERENCESETCONTAINS exclusion to the WHERE clause

Sumo Logic CSE

sql

(_sourceCategory=network/firewall OR _sourceCategory=network/paloalto OR _sourceCategory=network/cisco/asa OR _sourceCategory=network/zeek OR _sourceCategory=network/flow)
| where !isPrivateIP(dst_ip)
| where !(dst_ip matches "10.*" or dst_ip matches "172.1[6-9].*" or dst_ip matches "172.2[0-9].*"
     or dst_ip matches "172.3[0-1].*" or dst_ip matches "192.168.*"
     or dst_ip matches "127.*" or dst_ip matches "169.254.*")
| eval irc_port = if(dst_port in ("6660","6661","6662","6663","6664","6665","6666","6667","6668","6669","6697","1080","4444"), 1, 0)
| timeslice 1h
| stats count as connections, dc(_timeslice) as hourly_buckets, max(irc_port) as irc_port,
        sum(bytes_sent) as total_bytes_sent, sum(bytes_rcvd) as total_bytes_rcvd,
        min(_messageTime) as first_seen, max(_messageTime) as last_seen,
        values(process_name) as processes
  by hostname, src_ip, dst_ip, dst_port
| where connections >= 20 and hourly_buckets >= 3
| eval avg_per_hour = round(connections / hourly_buckets, 1)
| eval avg_bytes_per_conn = round((total_bytes_sent + total_bytes_rcvd) / connections, 0)
| eval beaconing_score = if(irc_port = 1, 3,
    if(avg_per_hour > 10 and avg_bytes_per_conn < 500, 2,
    if(connections > 200 and hourly_buckets >= 6, 2,
    if(connections > 100, 1, 0))))
| where beaconing_score >= 1
| eval first_seen = formatDate(toLong(first_seen), "yyyy-MM-dd HH:mm:ss")
| eval last_seen = formatDate(toLong(last_seen), "yyyy-MM-dd HH:mm:ss")
| sort by -beaconing_score, -connections
| fields hostname, src_ip, dst_ip, dst_port, connections, hourly_buckets, avg_per_hour,
         avg_bytes_per_conn, irc_port, beaconing_score, total_bytes_sent, total_bytes_rcvd,
         processes, first_seen, last_seen

high severity medium confidence

Data Sources

Palo Alto Networks firewall logs via Sumo Logic app Cisco ASA syslog Zeek connection logs via Filebeat/Sumo collector Generic network flow or NetFlow logs

Required Tables

_sourceCategory=network/firewall _sourceCategory=network/zeek _sourceCategory=network/flow _sourceCategory=network/paloalto

False Positives

Scheduled backup agents such as Veeam, Backblaze, or Crashplan generating high-frequency connections to external cloud storage endpoints during nightly backup windows — identify by hostname pattern and time correlation with backup schedule
Torrent or peer-to-peer file sharing software running on user workstations making high-frequency tracker and peer connections on non-standard port ranges — correlate process_name values against approved software inventory
Load testing or chaos engineering tools such as Locust or k6 executing from internal hosts against external staging or production endpoints — cross-reference src_ip against CI/CD runner or QA host inventory during test windows

Google Chronicle / SecOps

yaral

rule t1584_005_botnet_node_irc_c2_beaconing {
  meta:
    author = "Detection Engineering"
    description = "Detects botnet node behavior: systems making 20+ outbound connections over 24h to external IPs on IRC C2 ports (6660-6669, 6697) or proxy ports (1080, 4444) commonly used by bot malware for C2 check-ins"
    mitre_attack_tactic = "Resource Development"
    mitre_attack_technique = "T1584.005"
    mitre_attack_subtechnique = "Botnet"
    severity = "HIGH"
    confidence = "HIGH"
    created = "2024-01-01"
    modified = "2024-01-01"
    reference = "https://attack.mitre.org/techniques/T1584/005/"

  events:
    $net.metadata.event_type = "NETWORK_CONNECTION"
    $net.network.direction = "OUTBOUND"
    not net.ip_in_range_cidr($net.target.ip, "10.0.0.0/8")
    not net.ip_in_range_cidr($net.target.ip, "172.16.0.0/12")
    not net.ip_in_range_cidr($net.target.ip, "192.168.0.0/16")
    not net.ip_in_range_cidr($net.target.ip, "127.0.0.0/8")
    not net.ip_in_range_cidr($net.target.ip, "169.254.0.0/16")
    (
      $net.target.port = 6667 or
      $net.target.port = 6697 or
      $net.target.port = 6660 or
      $net.target.port = 6661 or
      $net.target.port = 6662 or
      $net.target.port = 6663 or
      $net.target.port = 6664 or
      $net.target.port = 6665 or
      $net.target.port = 6666 or
      $net.target.port = 6668 or
      $net.target.port = 6669 or
      $net.target.port = 1080 or
      $net.target.port = 4444
    )
    $hostname = $net.principal.hostname
    $dst_ip = $net.target.ip
    $dst_port = $net.target.port

  match:
    $hostname, $dst_ip, $dst_port over 24h

  outcome:
    $total_connections = count_distinct($net.metadata.id)
    $src_ips = array_distinct($net.principal.ip)
    $process_paths = array_distinct($net.principal.process.file.full_path)
    $first_seen = min($net.metadata.event_timestamp.seconds)
    $last_seen = max($net.metadata.event_timestamp.seconds)
    $bytes_sent = sum($net.network.sent_bytes)
    $bytes_received = sum($net.network.received_bytes)

  condition:
    #net >= 20
}

high severity high confidence

Data Sources

Chronicle UDM network events Google Cloud Chronicle SIEM third-party log ingestion Palo Alto Cortex XDR or other EDR forwarded to Chronicle

Required Tables

NETWORK_CONNECTION UDM event type

False Positives

Authorized IRC server infrastructure or legitimate IRC bot frameworks used for internal ChatOps pipelines — add destination IP allowlist entries as reference list exceptions in the rule condition
SOCKS5 enterprise proxy appliances accepting connections on port 1080 from clients — create a Chronicle reference list of approved proxy server IPs and add not $dst_ip in %approved_proxy_ips to the events section
Security research or malware sandbox environments that deliberately replicate botnet traffic patterns during controlled analysis — exclude sandbox host principals by hostname prefix or IP range in the events block

CrowdStrike LogScale (CQL)

cql

// CrowdStrike LogScale / Falcon NG-SIEM — botnet node beaconing detection
// Uses two-stage groupBy: first to bucket connections hourly, then to summarize across buckets
#event_simpleName = NetworkConnectIP4
| !cidr(RemoteIP, subnet="10.0.0.0/8")
| !cidr(RemoteIP, subnet="172.16.0.0/12")
| !cidr(RemoteIP, subnet="192.168.0.0/16")
| !cidr(RemoteIP, subnet="127.0.0.0/8")
| !cidr(RemoteIP, subnet="169.254.0.0/16")
// Compute hour bucket per event for later distinct-bucket counting
| eval(HourBucket=formatTime("%Y-%m-%d %H", field=@timestamp, timezone="UTC"))
// Stage 1: count connections per (host, dst_ip, dst_port, hour) tuple
| groupBy([ComputerName, RemoteIP, RemotePort, HourBucket],
    function=[
      count(as=HourlyConnections),
      collect(ContextImageFileName, as=ProcessNames, limit=5)
    ])
// Stage 2: aggregate across all hours per (host, dst_ip, dst_port)
| groupBy([ComputerName, RemoteIP, RemotePort],
    function=[
      sum(HourlyConnections, as=TotalConnections),
      count(as=HourlyBuckets),
      min(HourlyConnections, as=MinHourlyConnections),
      max(HourlyConnections, as=MaxHourlyConnections),
      collect(ProcessNames, as=Processes, limit=10)
    ])
// Apply thresholds matching KQL/SPL detection logic
| TotalConnections >= 20
| HourlyBuckets >= 3
// Flag IRC C2 and bot proxy ports
| eval(IRCPort=if(RemotePort=~"^(6660|6661|6662|6663|6664|6665|6666|6667|6668|6669|6697|1080|4444)$", 1, 0))
| eval(AvgPerHour=round(TotalConnections / HourlyBuckets, 1))
// Beaconing score: IRC port = 3, high-freq low-volume = 2, high-volume = 1
| eval(BeaconingScore=if(IRCPort = 1, 3, if(AvgPerHour > 10 AND TotalConnections > 50, 2, if(TotalConnections > 200, 2, if(TotalConnections > 100, 1, 0)))))
| BeaconingScore >= 1
| sort(field=BeaconingScore, order=desc, limit=200)
| table([ComputerName, RemoteIP, RemotePort, TotalConnections, HourlyBuckets, AvgPerHour, MinHourlyConnections, MaxHourlyConnections, IRCPort, BeaconingScore, Processes])

high severity medium confidence

Data Sources

CrowdStrike Falcon EDR sensor (NetworkConnectIP4) Falcon NG-SIEM CrowdStrike LogScale data platform

Required Tables

NetworkConnectIP4 (Falcon sensor event stream)

False Positives

Hosts running legitimate high-frequency cloud sync or backup agents (OneDrive, Dropbox, S3 sync) that establish many short-lived connections to external storage endpoints — tune TotalConnections threshold upward or add RemoteIP exclusions for known cloud storage CIDR ranges
Developer workstations running local game servers or Minecraft instances that use IRC-adjacent port ranges for in-game chat or RCON management — verify RemoteIP against known gaming server registries and exclude authorized hosts by ComputerName
Enterprise application servers performing load-balanced health checks against multiple external upstream endpoints using persistent connection pools — correlate ContextImageFileName (Processes field) against approved server application inventory to distinguish web servers from malware

Botnet

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Resource Development

Popular Detections