Suspicious Download From Direct IP Via Bitsadmin

Detects usage of bitsadmin downloading a file using an URL that contains an IP

Sigma rule (View on GitHub)

 1title: Suspicious Download From Direct IP Via Bitsadmin
 2id: 99c840f2-2012-46fd-9141-c761987550ef
 3related:
 4    - id: 90f138c1-f578-4ac3-8c49-eecfd847c8b7
 5      type: similar
 6status: test
 7description: Detects usage of bitsadmin downloading a file using an URL that contains an IP
 8references:
 9    - https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin
10    - https://isc.sans.edu/diary/22264
11    - https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/
12    - https://blog.talosintelligence.com/breaking-the-silence-recent-truebot-activity/
13author: Florian Roth (Nextron Systems)
14date: 2022/06/28
15modified: 2023/02/15
16tags:
17    - attack.defense_evasion
18    - attack.persistence
19    - attack.t1197
20    - attack.s0190
21    - attack.t1036.003
22logsource:
23    category: process_creation
24    product: windows
25detection:
26    selection_img:
27        - Image|endswith: '\bitsadmin.exe'
28        - OriginalFileName: 'bitsadmin.exe'
29    selection_flags:
30        CommandLine|contains:
31            - ' /transfer '
32            - ' /create '
33            - ' /addfile '
34    selection_extension:
35        CommandLine|contains:
36            - '://1'
37            - '://2'
38            - '://3'
39            - '://4'
40            - '://5'
41            - '://6'
42            - '://7'
43            - '://8'
44            - '://9'
45    filter_seven_zip:
46        CommandLine|contains: '://7-' # For https://7-zip.org/
47    condition: all of selection_* and not 1 of filter_*
48fields:
49    - CommandLine
50    - ParentCommandLine
51falsepositives:
52    - Unknown
53level: high

References

Related rules

to-top