BITS Transfer Job Download To Potential Suspicious Folder
Detects new BITS transfer job where the LocalName/Saved file is stored in a potentially suspicious location
Sigma rule (View on GitHub)
1title: BITS Transfer Job Download To Potential Suspicious Folder
2id: f8a56cb7-a363-44ed-a82f-5926bb44cd05
3status: test
4description: Detects new BITS transfer job where the LocalName/Saved file is stored in a potentially suspicious location
5references:
6 - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1197/T1197.md
7author: Florian Roth (Nextron Systems)
8date: 2022-06-28
9modified: 2023-03-27
10tags:
11 - attack.persistence
12 - attack.execution
13 - attack.stealth
14 - attack.t1197
15logsource:
16 product: windows
17 service: bits-client
18detection:
19 selection:
20 EventID: 16403
21 LocalName|contains:
22 # TODO: Add more interesting suspicious paths
23 - '\Desktop\'
24 - 'C:\Users\Public\'
25 - 'C:\PerfLogs\'
26 condition: selection
27falsepositives:
28 - Unknown
29level: high
References
-
Small and highly portable detection tests based on MITRE's ATT&CK. - redcanaryco/atomic-red-team
Read More
Related rules
- BITS Transfer Job Download From Direct IP
- BITS Transfer Job Download From File Sharing Domains
- BITS Transfer Job Downloading File Potential Suspicious Extension
- BITS Transfer Job With Uncommon Or Suspicious Remote TLD
- Bitsadmin to Uncommon IP Server Address