BITS Transfer Job Downloading File Potential Suspicious Extension
Detects new BITS transfer job saving local files with potential suspicious extensions
Sigma rule (View on GitHub)
1title: BITS Transfer Job Downloading File Potential Suspicious Extension
2id: b85e5894-9b19-4d86-8c87-a2f3b81f0521
3status: test
4description: Detects new BITS transfer job saving local files with potential suspicious extensions
5references:
6 - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1197/T1197.md
7author: frack113
8date: 2022/03/01
9modified: 2023/03/27
10tags:
11 - attack.defense_evasion
12 - attack.persistence
13 - attack.t1197
14logsource:
15 product: windows
16 service: bits-client
17detection:
18 selection:
19 EventID: 16403
20 LocalName|endswith:
21 # TODO: Extend this list with more interesting file extensions
22 - '.bat'
23 - '.dll'
24 - '.exe' # TODO: Might wanna comment this if it generates tons of FPs
25 - '.hta'
26 - '.ps1'
27 - '.psd1'
28 - '.sh'
29 - '.vbe'
30 - '.vbs'
31 filter_optional_generic:
32 # Typical updates: Chrome, Dropbox etc.
33 LocalName|contains: '\AppData\'
34 RemoteName|contains: '.com'
35 condition: selection and not 1 of filter_optional_*
36falsepositives:
37 - While the file extensions in question can be suspicious at times. It's best to add filters according to your environment to avoid large amount false positives
38level: medium
References
-
Small and highly portable detection tests based on MITRE's ATT&CK. - redcanaryco/atomic-red-team
Read More
Related rules
- BITS Transfer Job Download From Direct IP
- BITS Transfer Job Download To Potential Suspicious Folder
- BITS Transfer Job With Uncommon Or Suspicious Remote TLD
- New BITS Job Created Via PowerShell
- Bitsadmin to Uncommon IP Server Address