BITS Transfer Job Downloading File Potential Suspicious Extension
Detects new BITS transfer job saving local files with potential suspicious extensions
Sigma rule (View on GitHub)
1title: BITS Transfer Job Downloading File Potential Suspicious Extension
2id: b85e5894-9b19-4d86-8c87-a2f3b81f0521
3status: test
4description: Detects new BITS transfer job saving local files with potential suspicious extensions
5references:
6 - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1197/T1197.md
7author: frack113
8date: 2022-03-01
9modified: 2023-03-27
10tags:
11 - attack.persistence
12 - attack.execution
13 - attack.stealth
14 - attack.t1197
15logsource:
16 product: windows
17 service: bits-client
18detection:
19 selection:
20 EventID: 16403
21 LocalName|endswith:
22 # TODO: Extend this list with more interesting file extensions
23 - '.bat'
24 - '.dll'
25 - '.exe' # TODO: Might wanna comment this if it generates tons of FPs
26 - '.hta'
27 - '.ps1'
28 - '.psd1'
29 - '.sh'
30 - '.vbe'
31 - '.vbs'
32 filter_optional_generic:
33 # Typical updates: Chrome, Dropbox etc.
34 LocalName|contains: '\AppData\'
35 RemoteName|contains: '.com'
36 condition: selection and not 1 of filter_optional_*
37falsepositives:
38 - While the file extensions in question can be suspicious at times. It's best to add filters according to your environment to avoid large amount false positives
39level: medium
References
-
Small and highly portable detection tests based on MITRE's ATT&CK. - redcanaryco/atomic-red-team
Read More
Related rules
- BITS Transfer Job Download From Direct IP
- BITS Transfer Job Download From File Sharing Domains
- BITS Transfer Job Download To Potential Suspicious Folder
- BITS Transfer Job With Uncommon Or Suspicious Remote TLD
- Bitsadmin to Uncommon IP Server Address