File Download Via Bitsadmin
Detects usage of bitsadmin downloading a file
Sigma rule (View on GitHub)
1title: File Download Via Bitsadmin
2id: d059842b-6b9d-4ed1-b5c3-5b89143c6ede
3status: test
4description: Detects usage of bitsadmin downloading a file
5references:
6 - https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin
7 - https://isc.sans.edu/diary/22264
8 - https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/
9author: Michael Haag, FPT.EagleEye
10date: 2017-03-09
11modified: 2023-02-15
12tags:
13 - attack.defense-evasion
14 - attack.persistence
15 - attack.t1197
16 - attack.s0190
17 - attack.t1036.003
18logsource:
19 category: process_creation
20 product: windows
21detection:
22 selection_img:
23 - Image|endswith: '\bitsadmin.exe'
24 - OriginalFileName: 'bitsadmin.exe'
25 selection_cmd:
26 CommandLine|contains: ' /transfer '
27 selection_cli_1:
28 CommandLine|contains:
29 - ' /create '
30 - ' /addfile '
31 selection_cli_2:
32 CommandLine|contains: 'http'
33 condition: selection_img and (selection_cmd or all of selection_cli_*)
34fields:
35 - CommandLine
36 - ParentCommandLine
37falsepositives:
38 - Some legitimate apps use this, but limited.
39level: medium
References
-
This blog will cover 15 different ways to move files from your machine to a compromised system.
Read More -
Java Struts2 Vulnerability Used To Install Cerber Crypto Ransomware, Author: Johannes Ullrich
Read More -
Bitsadmin.exe is a living-of-the-land file containing unexpected functionality that can be abused by attackers; this page lists all its use cases.
Read More
Related rules
- File Download Via Bitsadmin To A Suspicious Target Folder
- File Download Via Bitsadmin To An Uncommon Target Folder
- File With Suspicious Extension Downloaded Via Bitsadmin
- Suspicious Download From Direct IP Via Bitsadmin
- Bitsadmin to Uncommon IP Server Address