BITS Transfer Job With Uncommon Or Suspicious Remote TLD
Detects a suspicious download using the BITS client from a FQDN that is unusual. Adversaries may abuse BITS jobs to persistently execute or clean up after malicious payloads.
Sigma rule (View on GitHub)
1title: BITS Transfer Job With Uncommon Or Suspicious Remote TLD
2id: 6d44fb93-e7d2-475c-9d3d-54c9c1e33427
3status: test
4description: Detects a suspicious download using the BITS client from a FQDN that is unusual. Adversaries may abuse BITS jobs to persistently execute or clean up after malicious payloads.
5references:
6 - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1197/T1197.md
7 - https://twitter.com/malmoeb/status/1535142803075960832
8author: Florian Roth (Nextron Systems)
9date: 2022-06-10
10modified: 2023-03-27
11tags:
12 - attack.defense-evasion
13 - attack.persistence
14 - attack.t1197
15logsource:
16 product: windows
17 service: bits-client
18detection:
19 selection:
20 EventID: 16403
21 filter_main_generic:
22 RemoteName|contains:
23 - '.azureedge.net/'
24 - '.com/'
25 - '.sfx.ms/'
26 - 'download.mozilla.org/' # https://download.mozilla.org/?product=firefox-101.0.1-partial-101.0&os=win64&lang=en-US
27 condition: selection and not 1 of filter_main_*
28falsepositives:
29 - This rule doesn't exclude other known TLDs such as ".org" or ".net". It's recommended to apply additional filters for software and scripts that leverage the BITS service
30level: medium
References
-
Small and highly portable detection tests based on MITRE's ATT&CK. - redcanaryco/atomic-red-team
Read More
Related rules
- BITS Transfer Job Download From Direct IP
- BITS Transfer Job Download To Potential Suspicious Folder
- BITS Transfer Job Downloading File Potential Suspicious Extension
- Bitsadmin to Uncommon IP Server Address
- Bitsadmin to Uncommon TLD