← Back to Explore
sigmamediumHunting
BITS Transfer Job With Uncommon Or Suspicious Remote TLD
Detects a suspicious download using the BITS client from a FQDN that is unusual. Adversaries may abuse BITS jobs to persistently execute or clean up after malicious payloads.
Detection Query
selection:
EventID: 16403
filter_main_generic:
RemoteName|contains:
- .azureedge.net/
- .com/
- .sfx.ms/
- download.mozilla.org/
- cdn.onenote.net/
- cdn.office.net/
- tscdn.m365.static.microsoft/
condition: selection and not 1 of filter_main_*
Author
Florian Roth (Nextron Systems)
Created
2022-06-10
Data Sources
windowsbits-client
Platforms
windows
References
Tags
attack.defense-evasionattack.persistenceattack.t1197
Raw Content
title: BITS Transfer Job With Uncommon Or Suspicious Remote TLD
id: 6d44fb93-e7d2-475c-9d3d-54c9c1e33427
status: test
description: Detects a suspicious download using the BITS client from a FQDN that is unusual. Adversaries may abuse BITS jobs to persistently execute or clean up after malicious payloads.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1197/T1197.md
- https://twitter.com/malmoeb/status/1535142803075960832
author: Florian Roth (Nextron Systems)
date: 2022-06-10
modified: 2025-02-28
tags:
- attack.defense-evasion
- attack.persistence
- attack.t1197
logsource:
product: windows
service: bits-client
detection:
selection:
EventID: 16403
filter_main_generic:
RemoteName|contains:
- '.azureedge.net/'
- '.com/'
- '.sfx.ms/'
- 'download.mozilla.org/' # https://download.mozilla.org/?product=firefox-101.0.1-partial-101.0&os=win64&lang=en-US
- 'cdn.onenote.net/'
- 'cdn.office.net/'
- 'tscdn.m365.static.microsoft/'
condition: selection and not 1 of filter_main_*
falsepositives:
- This rule doesn't exclude other known TLDs such as ".org" or ".net". It's recommended to apply additional filters for software and scripts that leverage the BITS service
level: medium