File Download Via Bitsadmin To A Suspicious Target Folder

 1title: File Download Via Bitsadmin To A Suspicious Target Folder
 2id: 2ddef153-167b-4e89-86b6-757a9e65dcac
 3status: test
 4description: Detects usage of bitsadmin downloading a file to a suspicious target folder
 5references:
 6    - https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin
 7    - https://isc.sans.edu/diary/22264
 8    - https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/
 9    - https://blog.talosintelligence.com/breaking-the-silence-recent-truebot-activity/
10author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
11date: 2022/06/28
12modified: 2023/05/30
13tags:
14    - attack.defense_evasion
15    - attack.persistence
16    - attack.t1197
17    - attack.s0190
18    - attack.t1036.003
19logsource:
20    category: process_creation
21    product: windows
22detection:
23    selection_img:
24        - Image|endswith: '\bitsadmin.exe'
25        - OriginalFileName: 'bitsadmin.exe'
26    selection_flags:
27        CommandLine|contains:
28            - ' /transfer '
29            - ' /create '
30            - ' /addfile '
31    selection_folder:
32        CommandLine|contains:
33            - ':\Perflogs'
34            - ':\ProgramData\'
35            - ':\Temp\'
36            - ':\Users\Public\'
37            - ':\Windows\'
38            - '\AppData\Local\Temp\'
39            - '\AppData\Roaming\'
40            - '\Desktop\'
41            - '%ProgramData%'
42            - '%public%'
43    condition: all of selection_*
44falsepositives:
45    - Unknown
46level: high

References

• 15 Ways to Download a File

  

  Pentesters often upload files to compromised boxes to help with privilege escalation, or to maintain a presence on the machine. This blog will cover 15 different ways to move files from your machine to a compromised system.

  
  Read More

• Java Struts2 Vulnerability Used To Install Cerber Crypto Ransomware - SANS Internet Storm Center

  

  Java Struts2 Vulnerability Used To Install Cerber Crypto Ransomware, Author: Johannes Ullrich

  
  Read More

• Bitsadmin | LOLBAS

  One-liner that creates a bitsadmin job named 1, add cmd.exe to the job, configure the job to run the target command, then resume and complete the job. bitsadmin /create 1 & bitsadmin /addfile 1 c:\...

  
  Read More

• Breaking the silence - Recent Truebot activity

  

  Since August 2022, we have seen an increase in infections of Truebot (aka Silence.Downloader) malware. Truebot was first identified in 2017 and researchers have linked it to a threat actor called Silence Group that is responsible for several high-impact attacks on financial institutions in several countries around the world.

  
  Read More

Related rules

• File With Suspicious Extension Downloaded Via Bitsadmin
• Suspicious Download From File-Sharing Website Via Bitsadmin
• File Download Via Bitsadmin To An Uncommon Target Folder
• Suspicious Download From Direct IP Via Bitsadmin
• File Download Via Bitsadmin