It depends: you need to rely on an IoC to notice a piece of malware. This is typically a signature, a direct communication with a known C2 or a malicious URLs, a hash, ... Beyond the most simple techniques, I'd mention traffic monitoring and analysis (especially traffic flow analysis) and behavioural analysis.

However detecting a dormant botnet isn't easy nor simple. e.g.: DARPA (via HACCS) awarded a $1.2m contract to build a system that can automatically pinpoint botnet-infected devices. https://www.fbo.gov/?s=opportunity&mode=form&id=72de4936f6f4...