Suspicious Download From File-Sharing Website Via Bitsadmin

Detects usage of bitsadmin downloading a file from a suspicious domain

Sigma rule (View on GitHub)

 1title: Suspicious Download From File-Sharing Website Via Bitsadmin
 2id: 8518ed3d-f7c9-4601-a26c-f361a4256a0c
 3status: experimental
 4description: Detects usage of bitsadmin downloading a file from a suspicious domain
 5references:
 6    - https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin
 7    - https://isc.sans.edu/diary/22264
 8    - https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/
 9    - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker
10    - https://www.cisa.gov/uscert/ncas/alerts/aa22-321a
11    - https://www.microsoft.com/en-us/security/blog/2024/01/17/new-ttps-observed-in-mint-sandstorm-campaign-targeting-high-profile-individuals-at-universities-and-research-orgs/
12author: Florian Roth (Nextron Systems)
13date: 2022-06-28
14modified: 2024-08-22
15tags:
16    - attack.defense-evasion
17    - attack.persistence
18    - attack.t1197
19    - attack.s0190
20    - attack.t1036.003
21logsource:
22    category: process_creation
23    product: windows
24detection:
25    selection_img:
26        - Image|endswith: '\bitsadmin.exe'
27        - OriginalFileName: 'bitsadmin.exe'
28    selection_flags:
29        CommandLine|contains:
30            - ' /transfer '
31            - ' /create '
32            - ' /addfile '
33    selection_domain:
34        CommandLine|contains:
35            - '.githubusercontent.com'       # Includes both gists and github repositories / Michael Haag (idea)
36            - 'anonfiles.com'
37            - 'cdn.discordapp.com'
38            - 'ddns.net'
39            - 'dl.dropboxusercontent.com'
40            - 'ghostbin.co'
41            - 'glitch.me'
42            - 'gofile.io'
43            - 'hastebin.com'
44            - 'mediafire.com'
45            - 'mega.nz'
46            - 'onrender.com'
47            - 'pages.dev'
48            - 'paste.ee'
49            - 'pastebin.com'
50            - 'pastebin.pl'
51            - 'pastetext.net'
52            - 'privatlab.com'
53            - 'privatlab.net'
54            - 'send.exploit.in'
55            - 'sendspace.com'
56            - 'storage.googleapis.com'
57            - 'storjshare.io'
58            - 'supabase.co'
59            - 'temp.sh'
60            - 'transfer.sh'
61            - 'trycloudflare.com'
62            - 'ufile.io'
63            - 'w3spaces.com'
64            - 'workers.dev'
65    condition: all of selection_*
66falsepositives:
67    - Some legitimate apps use this, but limited.
68level: high

References

Related rules

to-top