Suspicious Download From Direct IP Via Bitsadmin

 1title: Suspicious Download From Direct IP Via Bitsadmin
 2id: 99c840f2-2012-46fd-9141-c761987550ef
 3related:
 4    - id: 90f138c1-f578-4ac3-8c49-eecfd847c8b7
 5      type: similar
 6status: test
 7description: Detects usage of bitsadmin downloading a file using an URL that contains an IP
 8references:
 9    - https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin
10    - https://isc.sans.edu/diary/22264
11    - https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/
12    - https://blog.talosintelligence.com/breaking-the-silence-recent-truebot-activity/
13author: Florian Roth (Nextron Systems)
14date: 2022-06-28
15modified: 2023-02-15
16tags:
17    - attack.defense-evasion
18    - attack.persistence
19    - attack.t1197
20    - attack.s0190
21    - attack.t1036.003
22logsource:
23    category: process_creation
24    product: windows
25detection:
26    selection_img:
27        - Image|endswith: '\bitsadmin.exe'
28        - OriginalFileName: 'bitsadmin.exe'
29    selection_flags:
30        CommandLine|contains:
31            - ' /transfer '
32            - ' /create '
33            - ' /addfile '
34    selection_extension:
35        CommandLine|contains:
36            - '://1'
37            - '://2'
38            - '://3'
39            - '://4'
40            - '://5'
41            - '://6'
42            - '://7'
43            - '://8'
44            - '://9'
45    filter_seven_zip:
46        CommandLine|contains: '://7-' # For https://7-zip.org/
47    condition: all of selection_* and not 1 of filter_*
48fields:
49    - CommandLine
50    - ParentCommandLine
51falsepositives:
52    - Unknown
53level: high

References

• 15 Ways to Download a File

  

  This blog will cover 15 different ways to move files from your machine to a compromised system.

  
  Read More

• Java Struts2 Vulnerability Used To Install Cerber Crypto Ransomware - SANS Internet Storm Center

  

  Java Struts2 Vulnerability Used To Install Cerber Crypto Ransomware, Author: Johannes Ullrich

  
  Read More

• Bitsadmin on LOLBAS

  

  Bitsadmin.exe is a living-of-the-land file containing unexpected functionality that can be abused by attackers; this page lists all its use cases.

  
  Read More

• Breaking the silence - Recent Truebot activity

  

  Since August 2022, we have seen an increase in infections of Truebot (aka Silence.Downloader) malware. Truebot was first identified in 2017 and researchers have linked it to a threat actor called Silence Group that is responsible for several high-impact attacks on financial institutions in several countries around the world.

  
  Read More

Related rules

• File Download Via Bitsadmin
• File Download Via Bitsadmin To A Suspicious Target Folder
• File Download Via Bitsadmin To An Uncommon Target Folder
• File With Suspicious Extension Downloaded Via Bitsadmin
• Bitsadmin to Uncommon IP Server Address