Suspicious Download From File-Sharing Website Via Bitsadmin
Detects usage of bitsadmin downloading a file from a suspicious domain
Sigma rule (View on GitHub)
1title: Suspicious Download From File-Sharing Website Via Bitsadmin
2id: 8518ed3d-f7c9-4601-a26c-f361a4256a0c
3status: test
4description: Detects usage of bitsadmin downloading a file from a suspicious domain
5references:
6 - https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin
7 - https://isc.sans.edu/diary/22264
8 - https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/
9 - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker
10 - https://www.cisa.gov/uscert/ncas/alerts/aa22-321a
11 - https://www.microsoft.com/en-us/security/blog/2024/01/17/new-ttps-observed-in-mint-sandstorm-campaign-targeting-high-profile-individuals-at-universities-and-research-orgs/
12author: Florian Roth (Nextron Systems)
13date: 2022-06-28
14modified: 2025-12-10
15tags:
16 - attack.defense-evasion
17 - attack.persistence
18 - attack.t1197
19 - attack.s0190
20 - attack.t1036.003
21 - attack.command-and-control
22 - attack.t1105
23logsource:
24 category: process_creation
25 product: windows
26detection:
27 selection_img:
28 - Image|endswith: '\bitsadmin.exe'
29 - OriginalFileName: 'bitsadmin.exe'
30 selection_flags:
31 CommandLine|contains:
32 - ' /transfer '
33 - ' /create '
34 - ' /addfile '
35 selection_domain:
36 CommandLine|contains:
37 - '.githubusercontent.com' # Includes both gists and github repositories / Michael Haag (idea)
38 - 'anonfiles.com'
39 - 'cdn.discordapp.com'
40 - 'ddns.net'
41 - 'dl.dropboxusercontent.com'
42 - 'ghostbin.co'
43 - 'github.com' # bitsadmin /transfer n https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1047/bin/calc.dll %PUBLIC%\calc.dll
44 - 'glitch.me'
45 - 'gofile.io'
46 - 'hastebin.com'
47 - 'mediafire.com'
48 - 'mega.nz'
49 - 'onrender.com'
50 - 'pages.dev'
51 - 'paste.ee'
52 - 'pastebin.com'
53 - 'pastebin.pl'
54 - 'pastetext.net'
55 - 'privatlab.com'
56 - 'privatlab.net'
57 - 'send.exploit.in'
58 - 'sendspace.com'
59 - 'storage.googleapis.com'
60 - 'storjshare.io'
61 - 'supabase.co'
62 - 'temp.sh'
63 - 'transfer.sh'
64 - 'trycloudflare.com'
65 - 'ufile.io'
66 - 'w3spaces.com'
67 - 'workers.dev'
68 condition: all of selection_*
69falsepositives:
70 - Some legitimate apps use this, but limited.
71level: high
72regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_bitsadmin_download_file_sharing_domains/info.yml
73simulation:
74 - type: atomic-red-team
75 name: Windows - BITSAdmin BITS Download
76 technique: T1105
77 atomic_guid: a1921cd3-9a2d-47d5-a891-f1d0f2a7a31b
References
-
This blog will cover 15 different ways to move files from your machine to a compromised system.
Read More -
Java Struts2 Vulnerability Used To Install Cerber Crypto Ransomware, Author: Johannes Ullrich
Read More -
Bitsadmin.exe is a living-of-the-land file containing unexpected functionality that can be abused by attackers; this page lists all its use cases.
Read More -
Latest tools, tactics, and procedures being used by the Hive, Conti, and AvosLocker ransomware operations.
Read More -
Summary Note: This joint Cybersecurity Advisory (CSA) is part of an ongoing #StopRansomware effort to publish advisories for network defenders that detail various ransomware variants and ransomware...
Read More -
A distinct subset of Mint Sandstorm targets high-profile individuals working on Middle Eastern affairs at universities and research orgs.
Read More
Related rules
- File Download Via Bitsadmin
- File Download Via Bitsadmin To A Suspicious Target Folder
- File With Suspicious Extension Downloaded Via Bitsadmin
- Suspicious Download From Direct IP Via Bitsadmin
- Bitsadmin to Uncommon TLD