Bitsadmin to Uncommon TLD

 1title: Bitsadmin to Uncommon TLD
 2id: 9eb68894-7476-4cd6-8752-23b51f5883a7
 3status: test
 4description: Detects Bitsadmin connections to domains with uncommon TLDs
 5references:
 6    - https://twitter.com/jhencinski/status/1102695118455349248
 7    - https://isc.sans.edu/forums/diary/Investigating+Microsoft+BITS+Activity/23281/
 8author: Florian Roth (Nextron Systems), Tim Shelton
 9date: 2019-03-07
10modified: 2023-05-17
11tags:
12    - attack.command-and-control
13    - attack.execution
14    - attack.stealth
15    - attack.t1071.001
16    - attack.persistence
17    - attack.t1197
18    - attack.s0190
19logsource:
20    category: proxy
21detection:
22    selection:
23        c-useragent|startswith: 'Microsoft BITS/'
24    falsepositives:
25        cs-host|endswith:
26            - '.com'
27            - '.net'
28            - '.org'
29            - '.scdn.co' # spotify streaming
30            - '.sfx.ms' # Microsoft domain, example request: https://oneclient.sfx.ms/PreSignInSettings/Prod/2022-08-15-21-xx-xx/PreSignInSettingsConfig.json
31    condition: selection and not falsepositives
32falsepositives:
33    - Rare programs that use Bitsadmin and update from regional TLDs e.g. .uk or .ca
34level: high

References

• 

  Something went wrong, but don’t fret — let’s give it another shot. Some privacy related extensions may cause issues on x.com. Please disable them and try again.

  
  Read More

• https://isc.sans.edu/forums/diary/Investigating+Microsoft+BITS+Activity/23281/

  
  Read More

Related rules

• Bitsadmin to Uncommon IP Server Address
• File Download Via Bitsadmin
• File Download Via Bitsadmin To A Suspicious Target Folder
• File With Suspicious Extension Downloaded Via Bitsadmin
• Suspicious Download From File-Sharing Website Via Bitsadmin