title: Botnet (T1583.005)
id: df00tech-t1583-005
status: experimental
description: "Adversaries may buy, lease, or rent a network of compromised systems (botnet) to use during targeting. Botnets provide adversaries with scalable infrastructure for phishing campaigns, DDoS attacks, credential stuffing, and covert C2 relay via Operational Relay Box (ORB) networks. Detection pivots from the unobservable acquisition event itself to observable usage patterns: volumetric inbound attacks against organizational infrastructure, internal hosts exhibiting botnet C2 beaconing behavior, ORB relay traffic routing through VPS/SOHO/IoT IP space, and DNS query patterns consistent with botnet domain generation or C2 resolution."
references:
  - https://attack.mitre.org/techniques/T1583/005/
  - https://df00tech.com/detections/T1583.005
author: df00tech
date: 2026/04/13
tags:
  - attack.t1583.005
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: network_connection
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - "CDN and telemetry clients (crash reporters, update services) making regular heartbeat connections to the same endpoint"
  - "Legitimate monitoring agents (Datadog, New Relic, Dynatrace) with fixed-interval health check beacons"
  - Business applications with embedded polling loops for license validation or configuration retrieval
  - Load balancers and reverse proxies that accept external connections and forward to internal services — normal relay architecture
  - "Peer-to-peer software (backup clients, VPN clients, collaborative tools) that maintain persistent connections to distributed infrastructure"
level: high