File Download Via Bitsadmin
Detects usage of bitsadmin downloading a file
Sigma rule (View on GitHub)
1title: File Download Via Bitsadmin
2id: d059842b-6b9d-4ed1-b5c3-5b89143c6ede
3status: test
4description: Detects usage of bitsadmin downloading a file
5references:
6 - https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin
7 - https://isc.sans.edu/diary/22264
8 - https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/
9author: Michael Haag, FPT.EagleEye
10date: 2017/03/09
11modified: 2023/02/15
12tags:
13 - attack.defense_evasion
14 - attack.persistence
15 - attack.t1197
16 - attack.s0190
17 - attack.t1036.003
18logsource:
19 category: process_creation
20 product: windows
21detection:
22 selection_img:
23 - Image|endswith: '\bitsadmin.exe'
24 - OriginalFileName: 'bitsadmin.exe'
25 selection_cmd:
26 CommandLine|contains: ' /transfer '
27 selection_cli_1:
28 CommandLine|contains:
29 - ' /create '
30 - ' /addfile '
31 selection_cli_2:
32 CommandLine|contains: 'http'
33 condition: selection_img and (selection_cmd or all of selection_cli_*)
34fields:
35 - CommandLine
36 - ParentCommandLine
37falsepositives:
38 - Some legitimate apps use this, but limited.
39level: medium
References
-
Pentesters often upload files to compromised boxes to help with privilege escalation, or to maintain a presence on the machine. This blog will cover 15 different ways to move files from your machine to a compromised system.
Read More -
Java Struts2 Vulnerability Used To Install Cerber Crypto Ransomware, Author: Johannes Ullrich
Read More -
Create a bitsadmin job named 1, add cmd.exe to the job, configure the job to run the target command, then resume and complete the job. bitsadmin /create 1 bitsadmin /addfile 1 https://live.sysinter...
Read More
Related rules
- Potential Ransomware or Unauthorized MBR Tampering Via Bcdedit.EXE
- Possible Privilege Escalation via Weak Service Permissions
- Fax Service DLL Search Order Hijack
- Renamed Jusched.EXE Execution
- Renamed Autohotkey Binary