MITRE ATT&CK Technique
Description
Adversaries may compromise numerous third-party systems to form a botnet that can be used during targeting. A botnet is a network of compromised systems that can be instructed to perform coordinated tasks.(Citation: Norton Botnet) Instead of purchasing/renting a botnet from a booter/stresser service, adversaries may build their own botnet by compromising numerous third-party systems.(Citation: Imperva DDoS for Hire) Adversaries may also conduct a takeover of an existing botnet, such as redirecting bots to adversary-controlled C2 servers.(Citation: Dell Dridex Oct 2015) With a botnet at their disposal, adversaries may perform follow-on activity such as large-scale [Phishing](https://attack.mitre.org/techniques/T1566) or Distributed Denial of Service (DDoS).
Supported Platforms
Created
April 29, 2026
Last Updated
April 29, 2026
STIX Data
{'created': '2020-10-01T00:58:35.269Z',
'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'description': 'Adversaries may compromise numerous third-party systems to '
'form a botnet\xa0that can be used during targeting. A botnet '
'is a network of compromised systems that can be instructed to '
'perform coordinated tasks.(Citation: Norton Botnet) Instead '
'of purchasing/renting a botnet from a booter/stresser '
'service, adversaries may build their own botnet by '
'compromising numerous third-party systems.(Citation: Imperva '
'DDoS for Hire) Adversaries may also conduct a takeover of an '
'existing botnet, such as redirecting bots to '
'adversary-controlled C2 servers.(Citation: Dell Dridex Oct '
'2015) With a botnet at their disposal, adversaries may '
'perform follow-on activity such as large-scale '
'[Phishing](https://attack.mitre.org/techniques/T1566) or '
'Distributed Denial of Service (DDoS).',
'external_references': [{'external_id': 'T1584.005',
'source_name': 'mitre-attack',
'url': 'https://attack.mitre.org/techniques/T1584/005'},
{'description': 'Dell SecureWorks Counter Threat Unit '
'Threat Intelligence. (2015, October '
'13). Dridex (Bugat v5) Botnet '
'Takeover Operation. Retrieved May '
'31, 2019.',
'source_name': 'Dell Dridex Oct 2015',
'url': 'https://www.secureworks.com/research/dridex-bugat-v5-botnet-takeover-operation'},
{'description': 'Imperva. (n.d.). Booters, Stressers '
'and DDoSers. Retrieved October 4, '
'2020.',
'source_name': 'Imperva DDoS for Hire',
'url': 'https://www.imperva.com/learn/ddos/booters-stressers-ddosers/'},
{'description': 'Norton. (n.d.). What is a botnet?. '
'Retrieved October 4, 2020.',
'source_name': 'Norton Botnet',
'url': 'https://us.norton.com/internetsecurity-malware-what-is-a-botnet.html'}],
'id': 'attack-pattern--810d8072-afb6-4a56-9ee7-86379ac4a6f3',
'kill_chain_phases': [{'kill_chain_name': 'mitre-attack',
'phase_name': 'resource-development'}],
'modified': '2025-10-24T17:49:02.197Z',
'name': 'Botnet',
'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
'revoked': False,
'spec_version': '2.1',
'type': 'attack-pattern',
'x_mitre_attack_spec_version': '3.2.0',
'x_mitre_deprecated': False,
'x_mitre_detection': '',
'x_mitre_domains': ['enterprise-attack'],
'x_mitre_is_subtechnique': True,
'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'x_mitre_platforms': ['PRE'],
'x_mitre_version': '1.0'}