File Download Via Bitsadmin To An Uncommon Target Folder

Detects usage of bitsadmin downloading a file to uncommon target folder

Sigma rule (View on GitHub)

 1title: File Download Via Bitsadmin To An Uncommon Target Folder
 2id: 6e30c82f-a9f8-4aab-b79c-7c12bce6f248
 3status: test
 4description: Detects usage of bitsadmin downloading a file to uncommon target folder
 5references:
 6    - https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin
 7    - https://isc.sans.edu/diary/22264
 8    - https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/
 9    - https://blog.talosintelligence.com/breaking-the-silence-recent-truebot-activity/
10author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
11date: 2022-06-28
12modified: 2023-02-15
13tags:
14    - attack.defense-evasion
15    - attack.persistence
16    - attack.t1197
17    - attack.s0190
18    - attack.t1036.003
19logsource:
20    category: process_creation
21    product: windows
22detection:
23    selection_img:
24        - Image|endswith: '\bitsadmin.exe'
25        - OriginalFileName: 'bitsadmin.exe'
26    selection_flags:
27        CommandLine|contains:
28            - ' /transfer '
29            - ' /create '
30            - ' /addfile '
31    selection_folder:
32        CommandLine|contains:
33            - '%AppData%'
34            - '%temp%'
35            - '%tmp%'
36            - '\AppData\Local\'
37            - 'C:\Windows\Temp\'
38    condition: all of selection_*
39fields:
40    - CommandLine
41    - ParentCommandLine
42falsepositives:
43    - Unknown
44level: medium

References

Related rules

to-top