Bitsadmin to Uncommon TLD
Detects Bitsadmin connections to domains with uncommon TLDs
Sigma rule (View on GitHub)
1title: Bitsadmin to Uncommon TLD
2id: 9eb68894-7476-4cd6-8752-23b51f5883a7
3status: test
4description: Detects Bitsadmin connections to domains with uncommon TLDs
5references:
6 - https://twitter.com/jhencinski/status/1102695118455349248
7 - https://isc.sans.edu/forums/diary/Investigating+Microsoft+BITS+Activity/23281/
8author: Florian Roth (Nextron Systems), Tim Shelton
9date: 2019-03-07
10modified: 2023-05-17
11tags:
12 - attack.command-and-control
13 - attack.t1071.001
14 - attack.defense-evasion
15 - attack.persistence
16 - attack.t1197
17 - attack.s0190
18logsource:
19 category: proxy
20detection:
21 selection:
22 c-useragent|startswith: 'Microsoft BITS/'
23 falsepositives:
24 cs-host|endswith:
25 - '.com'
26 - '.net'
27 - '.org'
28 - '.scdn.co' # spotify streaming
29 - '.sfx.ms' # Microsoft domain, example request: https://oneclient.sfx.ms/PreSignInSettings/Prod/2022-08-15-21-xx-xx/PreSignInSettingsConfig.json
30 condition: selection and not falsepositives
31fields:
32 - ClientIP
33 - c-uri
34 - c-useragent
35falsepositives:
36 - Rare programs that use Bitsadmin and update from regional TLDs e.g. .uk or .ca
37level: high
References
Related rules
- Bitsadmin to Uncommon IP Server Address
- File Download Via Bitsadmin
- File Download Via Bitsadmin To A Suspicious Target Folder
- File Download Via Bitsadmin To An Uncommon Target Folder
- File With Suspicious Extension Downloaded Via Bitsadmin