Suspicious Download From File-Sharing Website Via Bitsadmin

 1title: Suspicious Download From File-Sharing Website Via Bitsadmin
 2id: 8518ed3d-f7c9-4601-a26c-f361a4256a0c
 3status: experimental
 4description: Detects usage of bitsadmin downloading a file from a suspicious domain
 5references:
 6    - https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin
 7    - https://isc.sans.edu/diary/22264
 8    - https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/
 9    - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker
10    - https://www.cisa.gov/uscert/ncas/alerts/aa22-321a
11    - https://www.microsoft.com/en-us/security/blog/2024/01/17/new-ttps-observed-in-mint-sandstorm-campaign-targeting-high-profile-individuals-at-universities-and-research-orgs/
12author: Florian Roth (Nextron Systems)
13date: 2022-06-28
14modified: 2024-08-22
15tags:
16    - attack.defense-evasion
17    - attack.persistence
18    - attack.t1197
19    - attack.s0190
20    - attack.t1036.003
21logsource:
22    category: process_creation
23    product: windows
24detection:
25    selection_img:
26        - Image|endswith: '\bitsadmin.exe'
27        - OriginalFileName: 'bitsadmin.exe'
28    selection_flags:
29        CommandLine|contains:
30            - ' /transfer '
31            - ' /create '
32            - ' /addfile '
33    selection_domain:
34        CommandLine|contains:
35            - '.githubusercontent.com'       # Includes both gists and github repositories / Michael Haag (idea)
36            - 'anonfiles.com'
37            - 'cdn.discordapp.com'
38            - 'ddns.net'
39            - 'dl.dropboxusercontent.com'
40            - 'ghostbin.co'
41            - 'glitch.me'
42            - 'gofile.io'
43            - 'hastebin.com'
44            - 'mediafire.com'
45            - 'mega.nz'
46            - 'onrender.com'
47            - 'pages.dev'
48            - 'paste.ee'
49            - 'pastebin.com'
50            - 'pastebin.pl'
51            - 'pastetext.net'
52            - 'privatlab.com'
53            - 'privatlab.net'
54            - 'send.exploit.in'
55            - 'sendspace.com'
56            - 'storage.googleapis.com'
57            - 'storjshare.io'
58            - 'supabase.co'
59            - 'temp.sh'
60            - 'transfer.sh'
61            - 'trycloudflare.com'
62            - 'ufile.io'
63            - 'w3spaces.com'
64            - 'workers.dev'
65    condition: all of selection_*
66falsepositives:
67    - Some legitimate apps use this, but limited.
68level: high

References

• 15 Ways to Download a File

  

  This blog will cover 15 different ways to move files from your machine to a compromised system.

  
  Read More

• Java Struts2 Vulnerability Used To Install Cerber Crypto Ransomware - SANS Internet Storm Center

  

  Java Struts2 Vulnerability Used To Install Cerber Crypto Ransomware, Author: Johannes Ullrich

  
  Read More

• Bitsadmin on LOLBAS

  

  Bitsadmin.exe is a living-of-the-land file containing unexpected functionality that can be abused by attackers; this page lists all its use cases.

  
  Read More

• Ransomware: How Attackers are Breaching Corporate Networks

  

  Latest tools, tactics, and procedures being used by the Hive, Conti, and AvosLocker ransomware operations.

  
  Read More

• #StopRansomware: Hive Ransomware | CISA

  Summary Note: This joint Cybersecurity Advisory (CSA) is part of an ongoing #StopRansomware effort to publish advisories for network defenders that detail various ransomware variants and ransomware...

  
  Read More

• New TTPs observed in Mint Sandstorm campaign targeting high-profile individuals at universities and research orgs | Microsoft Security Blog

  

  A distinct subset of Mint Sandstorm targets high-profile individuals working on Middle Eastern affairs at universities and research orgs.

  
  Read More

Related rules

• File Download Via Bitsadmin
• File Download Via Bitsadmin To A Suspicious Target Folder
• File Download Via Bitsadmin To An Uncommon Target Folder
• File With Suspicious Extension Downloaded Via Bitsadmin
• Suspicious Download From Direct IP Via Bitsadmin