New BITS Job Created Via PowerShell
Detects the creation of a new bits job by PowerShell
Sigma rule (View on GitHub)
1title: New BITS Job Created Via PowerShell
2id: fe3a2d49-f255-4d10-935c-bda7391108eb
3status: test
4description: Detects the creation of a new bits job by PowerShell
5references:
6 - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1197/T1197.md
7author: frack113
8date: 2022-03-01
9modified: 2023-03-27
10tags:
11 - attack.defense-evasion
12 - attack.persistence
13 - attack.t1197
14logsource:
15 product: windows
16 service: bits-client
17detection:
18 selection:
19 EventID: 3
20 processPath|endswith:
21 - '\powershell.exe'
22 - '\pwsh.exe'
23 condition: selection
24falsepositives:
25 - Administrator PowerShell scripts
26level: low
References
-
Small and highly portable detection tests based on MITRE's ATT&CK. - redcanaryco/atomic-red-team
Read More
Related rules
- BITS Transfer Job Download From Direct IP
- BITS Transfer Job Download To Potential Suspicious Folder
- BITS Transfer Job Downloading File Potential Suspicious Extension
- BITS Transfer Job With Uncommon Or Suspicious Remote TLD
- Bitsadmin to Uncommon IP Server Address