Bitsadmin to Uncommon TLD

Detects Bitsadmin connections to domains with uncommon TLDs

Sigma rule (View on GitHub)

 1title: Bitsadmin to Uncommon TLD
 2id: 9eb68894-7476-4cd6-8752-23b51f5883a7
 3status: test
 4description: Detects Bitsadmin connections to domains with uncommon TLDs
 5references:
 6    - https://twitter.com/jhencinski/status/1102695118455349248
 7    - https://isc.sans.edu/forums/diary/Investigating+Microsoft+BITS+Activity/23281/
 8author: Florian Roth (Nextron Systems), Tim Shelton
 9date: 2019-03-07
10modified: 2023-05-17
11tags:
12    - attack.command-and-control
13    - attack.t1071.001
14    - attack.defense-evasion
15    - attack.persistence
16    - attack.t1197
17    - attack.s0190
18logsource:
19    category: proxy
20detection:
21    selection:
22        c-useragent|startswith: 'Microsoft BITS/'
23    falsepositives:
24        cs-host|endswith:
25            - '.com'
26            - '.net'
27            - '.org'
28            - '.scdn.co' # spotify streaming
29            - '.sfx.ms' # Microsoft domain, example request: https://oneclient.sfx.ms/PreSignInSettings/Prod/2022-08-15-21-xx-xx/PreSignInSettingsConfig.json
30    condition: selection and not falsepositives
31fields:
32    - ClientIP
33    - c-uri
34    - c-useragent
35falsepositives:
36    - Rare programs that use Bitsadmin and update from regional TLDs e.g. .uk or .ca
37level: high

References

Related rules

to-top