Suspicious Download From File-Sharing Website Via Bitsadmin

Detects usage of bitsadmin downloading a file from a suspicious domain

Sigma rule (View on GitHub)

  1title: Suspicious Download From File-Sharing Website Via Bitsadmin
  2id: 8518ed3d-f7c9-4601-a26c-f361a4256a0c
  3related:
  4    - id: 8b48ad89-10d8-4382-a546-50588c410f0d
  5      type: similar
  6    - id: d635249d-86b5-4dad-a8c7-d7272b788586
  7      type: similar
  8    - id: 52182dfb-afb7-41db-b4bc-5336cb29b464
  9      type: similar
 10    - id: ae02ed70-11aa-4a22-b397-c0d0e8f6ea99
 11      type: similar
 12    - id: e0f8ab85-0ac9-423b-a73a-81b3c7b1aa97
 13      type: similar
 14    - id: 7b434893-c57d-4f41-908d-6a17bf1ae98f
 15      type: similar
 16    - id: 42a5f1e7-9603-4f6d-97ae-3f37d130d794
 17      type: similar
 18    - id: 56454143-524f-49fb-b1c6-3fb8b1ad41fb
 19      type: similar
 20    - id: b6e04788-29e1-4557-bb14-77f761848ab8
 21      type: similar
 22    - id: a0d7e4d2-bede-4141-8896-bc6e237e977c
 23      type: similar
 24    - id: 297ae038-edc2-4b2e-bb3e-7c5fc94dd5c7
 25      type: similar
 26status: test
 27description: Detects usage of bitsadmin downloading a file from a suspicious domain
 28references:
 29    - https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin
 30    - https://isc.sans.edu/diary/22264
 31    - https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/
 32    - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker
 33    - https://www.cisa.gov/uscert/ncas/alerts/aa22-321a
 34    - https://www.microsoft.com/en-us/security/blog/2024/01/17/new-ttps-observed-in-mint-sandstorm-campaign-targeting-high-profile-individuals-at-universities-and-research-orgs/
 35author: Florian Roth (Nextron Systems)
 36date: 2022-06-28
 37modified: 2026-03-29
 38tags:
 39    - attack.persistence
 40    - attack.execution
 41    - attack.stealth
 42    - attack.t1197
 43    - attack.s0190
 44    - attack.t1036.003
 45    - attack.command-and-control
 46    - attack.t1105
 47logsource:
 48    category: process_creation
 49    product: windows
 50detection:
 51    selection_img:
 52        - Image|endswith: '\bitsadmin.exe'
 53        - OriginalFileName: 'bitsadmin.exe'
 54    selection_flags:
 55        CommandLine|contains:
 56            - ' /transfer '
 57            - ' /create '
 58            - ' /addfile '
 59    selection_domain:
 60        CommandLine|contains:
 61            - '.githubusercontent.com'       # Includes both gists and github repositories / Michael Haag (idea)
 62            - '0x0.st'
 63            - 'anonfiles.com'
 64            - 'bashupload.com'
 65            - 'cdn.discordapp.com'
 66            - 'chunk.io'
 67            - 'ddns.net'
 68            - 'dl.dropboxusercontent.com'
 69            - 'ghostbin.co'
 70            - 'github.com' # bitsadmin /transfer n https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1047/bin/calc.dll %PUBLIC%\calc.dll
 71            - 'glitch.me'
 72            - 'gofile.io'
 73            - 'hastebin.com'
 74            - 'mediafire.com'
 75            - 'mega.nz'
 76            - 'onrender.com'
 77            - 'pages.dev'
 78            - 'paste.ee'
 79            - 'pastebin.com'
 80            - 'pastebin.pl'
 81            - 'pastetext.net'
 82            - 'privatlab.com'
 83            - 'privatlab.net'
 84            - 'send.exploit.in'
 85            - 'sendspace.com'
 86            - 'storage.googleapis.com'
 87            - 'storjshare.io'
 88            - 'supabase.co'
 89            - 'temp.sh'
 90            - 'transfer.sh'
 91            - 'trycloudflare.com'
 92            - 'ufile.io'
 93            - 'w3spaces.com'
 94            - 'workers.dev'
 95            - 'x0.at'
 96    condition: all of selection_*
 97falsepositives:
 98    - Some legitimate apps use this, but limited.
 99level: high
100regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_bitsadmin_download_file_sharing_domains/info.yml
101simulation:
102    - type: atomic-red-team
103      name: Windows - BITSAdmin BITS Download
104      technique: T1105
105      atomic_guid: a1921cd3-9a2d-47d5-a891-f1d0f2a7a31b

References

Related rules

to-top