Skip to main content
MuonPartners
Services
Architecture

Solution design and technology roadmapping

Solution AssessmentTechnology RoadmapsIntegration DesignSolution ArchitectureTechnical Design
Cyber Security

Security assessments, IAM, and compliance

AssessmentsIAMComplianceSecurity BaselineCyber Innovation
Network and Platform

Network architecture and cloud platforms

Network DesignCloud StrategyModernisation
Enterprise Architecture

Business-technology alignment

Business AlignmentPortfolio AnalysisGovernance
View all services
ProjectsCase StudiesInsightsToolsAbout
Contact Us

Services

Architecture
Solution AssessmentTechnology RoadmapsIntegration DesignSolution ArchitectureTechnical Design
Cyber Security
AssessmentsIAMComplianceSecurity BaselineCyber Innovation
Network and Platform
Network DesignCloud StrategyModernisation
Enterprise Architecture
Business AlignmentPortfolio AnalysisGovernance
ProjectsCase StudiesInsightsToolsAboutContact
Get in Touch
MuonPartners

Strategic technology consulting for Australian organisations navigating complexity.

Services

  • Architecture
  • Cyber Security
  • Network and Platform
  • Enterprise Architecture

Company

  • About
  • Products
  • Frameworks
  • Cross-Framework Mapping
  • Projects
  • Case Studies
  • Insights
  • Contact

Contact

  • [email protected]
  • Australia
  • LinkedIn

© 2026 Muon Partners. All rights reserved.

ABN 50 669 022 315 · A Muon Group company.

Privacy PolicyTerms of Service
  1. Frameworks
  2. >ATTACK
  3. >Resource Development
  4. >ATTACK-T1584.005
ATTACK-T1584.005Active

Botnet

Statement

Adversaries may compromise numerous third-party systems to form a botnet that can be used during targeting. A botnet is a network of compromised systems that can be instructed to perform coordinated tasks.(Citation: Norton Botnet) Instead of purchasing/renting a botnet from a booter/stresser service, adversaries may build their own botnet by compromising numerous third-party systems.(Citation: Imperva DDoS for Hire) Adversaries may also conduct a takeover of an existing botnet, such as redirecting bots to adversary-controlled C2 servers.(Citation: Dell Dridex Oct 2015) With a botnet at their disposal, adversaries may perform follow-on activity such as large-scale Phishing or Distributed Denial of Service (DDoS).

Location

Tactic
Resource Development

Technique Details

Identifier
ATTACK-T1584.005
Parent Technique
ATTACK-T1584
ATT&CK Page
View on MITRE

Tactics

Resource Development

Platforms

PRE

Detection

Detection of Botnet

Mitigations

Pre-compromise: Pre-compromise mitigations involve proactive measures and defenses implemented to prevent adversaries from successfully identifying and exploiting weaknesses during the Reconnaissance and Resource Development phases of an attack. These activities focus on reducing an organization's attack surface, identify adversarial preparation efforts, and increase the difficulty for attackers to conduct successful operations. This mitigation can be implemented through the following measures:

Limit Information Exposure:

  • Regularly audit and sanitize publicly available data, including job posts, websites, and social media.
  • Use tools like OSINT monitoring platforms (e.g., SpiderFoot, Recon-ng) to identify leaked information.

Protect Domain and DNS Infrastructure:

  • Enable DNSSEC and use WHOIS privacy protection.
  • Monitor for domain hijacking or lookalike domains using services like RiskIQ or DomainTools.

External Monitoring:

  • Use tools like Shodan, Censys to monitor your external attack surface.
  • Deploy external vulnerability scanners to proactively address weaknesses.

Threat Intelligence:

  • Leverage platforms like MISP, Recorded Future, or Anomali to track adversarial infrastructure, tools, and activity.

Content and Email Protections:

  • Use email security solutions like Proofpoint, Microsoft Defender for Office 365, or Mimecast.
  • Enforce SPF/DKIM/DMARC policies to protect against email spoofing.

Training and Awareness:

  • Educate employees on identifying phishing attempts, securing their social media, and avoiding information leaks.

No cross-framework mappings available

← Back to Resource Development
Resource Development47 controls
ATTACK-T1583Acquire InfrastructureATTACK-T1583.001DomainsATTACK-T1583.002DNS ServerATTACK-T1583.003Virtual Private ServerATTACK-T1583.004ServerATTACK-T1583.005BotnetATTACK-T1583.006Web ServicesATTACK-T1583.007ServerlessATTACK-T1583.008MalvertisingATTACK-T1584Compromise InfrastructureATTACK-T1584.001DomainsATTACK-T1584.002DNS ServerATTACK-T1584.003Virtual Private ServerATTACK-T1584.004ServerATTACK-T1584.005BotnetATTACK-T1584.006Web ServicesATTACK-T1584.007ServerlessATTACK-T1584.008Network DevicesATTACK-T1585Establish AccountsATTACK-T1585.001Social Media AccountsATTACK-T1585.002Email AccountsATTACK-T1585.003Cloud AccountsATTACK-T1586Compromise AccountsATTACK-T1586.001Social Media AccountsATTACK-T1586.002Email AccountsATTACK-T1586.003Cloud AccountsATTACK-T1587Develop CapabilitiesATTACK-T1587.001MalwareATTACK-T1587.002Code Signing CertificatesATTACK-T1587.003Digital CertificatesATTACK-T1587.004ExploitsATTACK-T1588Obtain CapabilitiesATTACK-T1588.001MalwareATTACK-T1588.002ToolATTACK-T1588.003Code Signing CertificatesATTACK-T1588.004Digital CertificatesATTACK-T1588.005ExploitsATTACK-T1588.006VulnerabilitiesATTACK-T1588.007Artificial IntelligenceATTACK-T1608Stage CapabilitiesATTACK-T1608.001Upload MalwareATTACK-T1608.002Upload ToolATTACK-T1608.003Install Digital CertificateATTACK-T1608.004Drive-by TargetATTACK-T1608.005Link TargetATTACK-T1608.006SEO PoisoningATTACK-T1650Acquire Access