MITRE ATT&CK / T1583.005
T1583.005
Botnet
Description
Adversaries may buy, lease, or rent a network of compromised systems that can be used during targeting. A botnet is a network of compromised systems that can be instructed to perform coordinated tasks.(Citation: Norton Botnet) Adversaries may purchase a subscription to use an existing botnet from a booter/stresser service.Internet-facing edge devices and related network appliances that are end-of-life (EOL) and unsupported by their manufacturers are commonly acquired for botnet activities. Adversaries may lease operational relay box (ORB) networks – consisting of virtual private servers (VPS), small office/home office (SOHO) routers, or Internet of Things (IoT) devices – to serve as a botnet.(Citation: ORB Mandiant)With a botnet at their disposal, adversaries may perform follow-on activity such as large-scale [Phishing](https://attack.mitre.org/techniques/T1566) or Distributed Denial of Service (DDoS).(Citation: Imperva DDoS for Hire)(Citation: Krebs-Anna)(Citation: Krebs-Bazaar)(Citation: Krebs-Booter) Acquired botnets may also be used to support Command and Control activity, such as [Hide Infrastructure](https://attack.mitre.org/techniques/T1665) through an established [Proxy](https://attack.mitre.org/techniques/T1090) network.
Platforms
Mitigations
- M1056 — Pre-compromise
Use our free MITRE ATT&CK lookup tool, or browse the full ATT&CK matrix.
Our coverage
- Stack String Obfuscation in C: The Technique That Blinds AV, YARA, and Static Scanners
- MacSync Stealer: Hackers Abuse Google Ads and Claude.ai Chats to Push Mac Malware
- xlabs_v1 Mirai Botnet Exploits ADB to Build IoT DDoS-for-Hire Network
- TrustFall: AI Coding Agents Exploitable with One Enter Keypress
- PCPJack Cloud Worm Evicts TeamPCP and Steals 40+ Credential Types at Scale
Source: MITRE ATT&CK Enterprise matrix. View on attack.mitre.org →