Adversaries may compromise numerous third-party systems to form a botnet that can be used during targeting. A botnet is a network of compromised systems that can be instructed to perform coordinated tasks.(Citation: Norton Botnet) Instead of purchasing/renting a botnet from a booter/stresser service(Citation: Imperva DDoS for Hire), adversaries may build their own botnet by compromising numerous third-party systems. Adversaries may also conduct a takeover of an existing botnet, such as redirecting bots to adversary-controlled C2 servers.(Citation: Dell Dridex Oct 2015) With a botnet at their disposal, adversaries may perform follow-on activity such as large-scale Phishing or Distributed Denial of Service (DDoS).
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name |
|---|---|---|---|---|
| action.hacking.variety.DoS | Denial of service | related-to | T1584.005 | Compromise Infrastructure: Botnet |
| action.hacking.variety.Unknown | Unknown | related-to | T1584.005 | Compromise Infrastructure: Botnet |
| value_chain.distribution.variety.Other | The variety of distribution was known, but is not listed | related-to | T1584.005 | Compromise Infrastructure: Botnet |
| value_chain.non-distribution services.variety.Other | The variety of non-distribution service required is known, but is not listed | related-to | T1584.005 | Compromise Infrastructure: Botnet |