Bitsadmin to Uncommon IP Server Address
Detects Bitsadmin connections to IP addresses instead of FQDN names
Sigma rule (View on GitHub)
1title: Bitsadmin to Uncommon IP Server Address
2id: 8ccd35a2-1c7c-468b-b568-ac6cdf80eec3
3status: test
4description: Detects Bitsadmin connections to IP addresses instead of FQDN names
5references:
6 - https://isc.sans.edu/diary/Microsoft+BITS+Used+to+Download+Payloads/21027
7author: Florian Roth (Nextron Systems)
8date: 2022/06/10
9modified: 2022/08/24
10tags:
11 - attack.command_and_control
12 - attack.t1071.001
13 - attack.defense_evasion
14 - attack.persistence
15 - attack.t1197
16 - attack.s0190
17logsource:
18 category: proxy
19detection:
20 selection:
21 c-useragent|startswith: 'Microsoft BITS/'
22 cs-host|endswith:
23 - '1'
24 - '2'
25 - '3'
26 - '4'
27 - '5'
28 - '6'
29 - '7'
30 - '8'
31 - '9'
32 condition: selection
33falsepositives:
34 - Unknown
35level: high
References
Related rules
- File Download Via Bitsadmin To An Uncommon Target Folder
- Suspicious Download From Direct IP Via Bitsadmin
- File Download Via Bitsadmin
- OilRig APT Activity
- OilRig APT Schedule Task Persistence - Security