Live Active security incident? Get immediate response
MITRE ATT&CK® Detection Strategy

DET0837: Detection of Botnet

DET0837 is a detection strategy for Botnet-related resource development: adversaries buying, leasing, renting, or otherwise using networks of compromised s...

EnterpriseDET0837Detection StrategyObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

DET0837 is a detection strategy for Botnet-related resource development: adversaries buying, leasing, renting, or otherwise using networks of compromised systems before or during targeting. Its business value is early warning. Because this ATT&CK object has no official detection text or platform scope, leaders should treat it as a prompt to validate whether threat intelligence, external attack-surface awareness, and SOC workflows can recognize botnet infrastructure risk before it becomes an incident.

Executive priority

Prioritize this as a resilience and readiness question rather than a single tool alert. Ask whether the organization can identify exposure to botnet-enabled targeting, whether internet-facing and end-of-life edge devices are tracked, and whether SOC/IR teams have a process for using botnet intelligence in triage and response decisions. This supports budget decisions around threat intelligence, asset inventory, vulnerability management, managed detection, and incident response preparedness.

Technical view

ATT&CK links this detection strategy to T1583.005 Botnet under Resource Development on PRE platforms. Since no official detection logic is provided, SOC and detection teams should validate collection and workflow coverage around external intelligence and environment context: known botnet infrastructure, booter/stresser service reporting, compromised-system networks, and organizational assets that could be exposed or misclassified. IR teams should define how botnet-related indicators are escalated, enriched, and connected to observed targeting activity without assuming attribution from the presence of botnet infrastructure alone.

Likely telemetry

  • Threat intelligence reporting on botnets, booter/stresser services, and known compromised-system networks
  • External attack-surface and asset inventory data, especially for internet-facing edge devices and unsupported/EOL network appliances
  • Vulnerability and lifecycle management records for exposed infrastructure
  • DNS, proxy, firewall, and network-flow logs where available for correlation with known botnet infrastructure
  • SOC case management and enrichment records showing how botnet-related indicators were triaged

Detection direction

  • Validate that botnet intelligence is current, source-rated, and integrated into SOC triage rather than handled as static blocklists only.
  • Tune detections to reduce false positives from shared infrastructure, recycled IP addresses, and low-confidence indicators.
  • Correlate botnet indicators with local asset exposure and observed activity before declaring an incident or attribution.
  • Confirm whether PRE-stage resource-development intelligence is reviewed by threat intelligence or managed detection teams, because endpoint-centric telemetry may not see adversary acquisition of botnet resources.
  • Use the T1583.005 relationship to connect detections to resource-development tracking and campaign preparation workflows.

Mitigation priorities

  • Maintain accurate inventory of internet-facing assets, with emphasis on edge devices and unsupported or end-of-life appliances mentioned in the related ATT&CK context.
  • Prioritize remediation or replacement of exposed unsupported infrastructure that could be incorporated into botnet activity.
  • Operationalize reputable botnet-related intelligence in monitoring, enrichment, and response playbooks.
  • Define escalation criteria for botnet-related alerts so SOC and IR teams know when to investigate, block, monitor, or simply enrich.
  • Preserve evidence of asset management, vulnerability prioritization, and SOC triage decisions for compliance and readiness reviews.
Analyst notes and limits

The supplied ATT&CK object is a detection strategy with no official description, detection guidance, tactics, or platforms. The main decision value comes from its relationship to T1583.005 Botnet, which describes adversaries acquiring or renting networks of compromised systems for targeting, including use of booter/stresser services and compromised internet-facing edge devices.

This take does not assert active exploitation, specific vendors, guaranteed detection, attribution, or platform coverage. Local telemetry, intelligence sources, asset exposure, and SOC procedures are required to determine actual coverage and risk.

Official MITRE ATT&CK definition

Detection of Botnet

No official description is available in the imported ATT&CK source object.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Enterprise T1583.005 Botnet Sub-technique This object detects Botnet.
Relationship explorer

All related ATT&CK context

detects · Technique T1583.005: Botnet Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
00e16e3aacb6769e...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 00e16e3aacb6…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack DET0837
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use