T1584.005 Botnet
Adversaries may compromise numerous third-party systems to form a botnet that can be used during targeting. A botnet is a network of compromised systems that can be instructed to perform coordinated tasks.3 Instead of purchasing/renting a botnet from a booter/stresser service, adversaries may build their own botnet by compromising numerous third-party systems.2 Adversaries may also conduct a takeover of an existing botnet, such as redirecting bots to adversary-controlled C2 servers.1 With a botnet at their disposal, adversaries may perform follow-on activity such as large-scale Phishing or Distributed Denial of Service (DDoS).
| Item | Value |
|---|---|
| ID | T1584.005 |
| Sub-techniques | T1584.001, T1584.002, T1584.003, T1584.004, T1584.005, T1584.006, T1584.007 |
| Tactics | TA0042 |
| Platforms | PRE |
| Version | 1.0 |
| Created | 01 October 2020 |
| Last Modified | 19 April 2022 |
Procedure Examples
| ID | Name | Description |
|---|---|---|
| G0001 | Axiom | Axiom has used large groups of compromised machines for use as proxy nodes.4 |
| G0034 | Sandworm Team | Sandworm Team has used a large-scale botnet to target Small Office/Home Office (SOHO) network devices.5 |
Mitigations
| ID | Mitigation | Description |
|---|---|---|
| M1056 | Pre-compromise | This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls. |
References
-
Dell SecureWorks Counter Threat Unit Threat Intelligence. (2015, October 13). Dridex (Bugat v5) Botnet Takeover Operation. Retrieved May 31, 2019. ↩
-
Imperva. (n.d.). Booters, Stressers and DDoSers. Retrieved October 4, 2020. ↩
-
Norton. (n.d.). What is a botnet?. Retrieved October 4, 2020. ↩
-
Novetta. (n.d.). Operation SMN: Axiom Threat Actor Group Report. Retrieved November 12, 2014. ↩
-
NCSC. (2022, February 23). Cyclops Blink Malware Analysis Report. Retrieved March 3, 2022. ↩