File Download Via Bitsadmin To A Suspicious Target Folder

 1title: File Download Via Bitsadmin To A Suspicious Target Folder
 2id: 2ddef153-167b-4e89-86b6-757a9e65dcac
 3related:
 4    - id: 6e30c82f-a9f8-4aab-b79c-7c12bce6f248
 5      type: obsolete
 6    - id: 1cf465a1-2609-4c15-9b66-c32dbe4bfd67
 7      type: similar
 8status: test
 9description: Detects usage of bitsadmin downloading a file to a suspicious target folder
10references:
11    - https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin
12    - https://isc.sans.edu/diary/22264
13    - https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/
14    - https://blog.talosintelligence.com/breaking-the-silence-recent-truebot-activity/
15author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
16date: 2022-06-28
17modified: 2025-12-10
18tags:
19    - attack.defense-evasion
20    - attack.persistence
21    - attack.t1197
22    - attack.s0190
23    - attack.t1036.003
24    - attack.command-and-control
25    - attack.t1105
26logsource:
27    category: process_creation
28    product: windows
29detection:
30    selection_img:
31        - Image|endswith: '\bitsadmin.exe'
32        - OriginalFileName: 'bitsadmin.exe'
33    selection_flags:
34        CommandLine|contains:
35            - ' /transfer '
36            - ' /create '
37            - ' /addfile '
38    selection_folder:
39        CommandLine|contains:
40            - ':\Perflogs'
41            - ':\ProgramData\'
42            - ':\Temp\'
43            - ':\Users\Public\'
44            - ':\Windows\'
45            - '\$Recycle.Bin\'
46            - '\AppData\Local\'
47            - '\AppData\Roaming\'
48            - '\Contacts\'
49            - '\Desktop\'
50            - '\Favorites\'
51            - '\Favourites\'
52            - '\inetpub\wwwroot\'
53            - '\Music\'
54            - '\Pictures\'
55            - '\Start Menu\Programs\Startup\'
56            - '\Users\Default\'
57            - '\Videos\'
58            - '%ProgramData%'
59            - '%public%'
60            - '%temp%'
61            - '%tmp%'
62    condition: all of selection_*
63falsepositives:
64    - Unknown
65level: high
66regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_bitsadmin_download_susp_targetfolder/info.yml
67simulation:
68    - type: atomic-red-team
69      name: Windows - BITSAdmin BITS Download
70      technique: T1105
71      atomic_guid: a1921cd3-9a2d-47d5-a891-f1d0f2a7a31b

References

• 15 Ways to Download a File

  

  This blog will cover 15 different ways to move files from your machine to a compromised system.

  
  Read More

• Java Struts2 Vulnerability Used To Install Cerber Crypto Ransomware

  

  Java Struts2 Vulnerability Used To Install Cerber Crypto Ransomware, Author: Johannes Ullrich

  
  Read More

• Bitsadmin on LOLBAS

  

  Bitsadmin.exe is a living-of-the-land file containing unexpected functionality that can be abused by attackers; this page lists all its use cases.

  
  Read More

• Breaking the silence - Recent Truebot activity

  

  Since August 2022, we have seen an increase in infections of Truebot (aka Silence.Downloader) malware. Truebot was first identified in 2017 and researchers have linked it to a threat actor called Silence Group that is responsible for several high-impact attacks on financial institutions in several countries around the world.

  
  Read More

Related rules

• File Download Via Bitsadmin
• File With Suspicious Extension Downloaded Via Bitsadmin
• Suspicious Download From File-Sharing Website Via Bitsadmin
• Suspicious Download From Direct IP Via Bitsadmin
• Bitsadmin to Uncommon TLD