← Back to Explore
sigmahighHunting
Suspicious Download From File-Sharing Website Via Bitsadmin
Detects usage of bitsadmin downloading a file from a suspicious domain
Detection Query
selection_img:
- Image|endswith: \bitsadmin.exe
- OriginalFileName: bitsadmin.exe
selection_flags:
CommandLine|contains:
- " /transfer "
- " /create "
- " /addfile "
selection_domain:
CommandLine|contains:
- .githubusercontent.com
- anonfiles.com
- cdn.discordapp.com
- ddns.net
- dl.dropboxusercontent.com
- ghostbin.co
- github.com
- glitch.me
- gofile.io
- hastebin.com
- mediafire.com
- mega.nz
- onrender.com
- pages.dev
- paste.ee
- pastebin.com
- pastebin.pl
- pastetext.net
- privatlab.com
- privatlab.net
- send.exploit.in
- sendspace.com
- storage.googleapis.com
- storjshare.io
- supabase.co
- temp.sh
- transfer.sh
- trycloudflare.com
- ufile.io
- w3spaces.com
- workers.dev
condition: all of selection_*
Author
Florian Roth (Nextron Systems)
Created
2022-06-28
Data Sources
windowsProcess Creation Events
Platforms
windows
References
- https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin
- https://isc.sans.edu/diary/22264
- https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/
- https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker
- https://www.cisa.gov/uscert/ncas/alerts/aa22-321a
- https://www.microsoft.com/en-us/security/blog/2024/01/17/new-ttps-observed-in-mint-sandstorm-campaign-targeting-high-profile-individuals-at-universities-and-research-orgs/
Tags
attack.defense-evasionattack.persistenceattack.t1197attack.s0190attack.t1036.003attack.command-and-controlattack.t1105
Raw Content
title: Suspicious Download From File-Sharing Website Via Bitsadmin
id: 8518ed3d-f7c9-4601-a26c-f361a4256a0c
status: test
description: Detects usage of bitsadmin downloading a file from a suspicious domain
references:
- https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin
- https://isc.sans.edu/diary/22264
- https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/
- https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker
- https://www.cisa.gov/uscert/ncas/alerts/aa22-321a
- https://www.microsoft.com/en-us/security/blog/2024/01/17/new-ttps-observed-in-mint-sandstorm-campaign-targeting-high-profile-individuals-at-universities-and-research-orgs/
author: Florian Roth (Nextron Systems)
date: 2022-06-28
modified: 2025-12-10
tags:
- attack.defense-evasion
- attack.persistence
- attack.t1197
- attack.s0190
- attack.t1036.003
- attack.command-and-control
- attack.t1105
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\bitsadmin.exe'
- OriginalFileName: 'bitsadmin.exe'
selection_flags:
CommandLine|contains:
- ' /transfer '
- ' /create '
- ' /addfile '
selection_domain:
CommandLine|contains:
- '.githubusercontent.com' # Includes both gists and github repositories / Michael Haag (idea)
- 'anonfiles.com'
- 'cdn.discordapp.com'
- 'ddns.net'
- 'dl.dropboxusercontent.com'
- 'ghostbin.co'
- 'github.com' # bitsadmin /transfer n https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1047/bin/calc.dll %PUBLIC%\calc.dll
- 'glitch.me'
- 'gofile.io'
- 'hastebin.com'
- 'mediafire.com'
- 'mega.nz'
- 'onrender.com'
- 'pages.dev'
- 'paste.ee'
- 'pastebin.com'
- 'pastebin.pl'
- 'pastetext.net'
- 'privatlab.com'
- 'privatlab.net'
- 'send.exploit.in'
- 'sendspace.com'
- 'storage.googleapis.com'
- 'storjshare.io'
- 'supabase.co'
- 'temp.sh'
- 'transfer.sh'
- 'trycloudflare.com'
- 'ufile.io'
- 'w3spaces.com'
- 'workers.dev'
condition: all of selection_*
falsepositives:
- Some legitimate apps use this, but limited.
level: high
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_bitsadmin_download_file_sharing_domains/info.yml
simulation:
- type: atomic-red-team
name: Windows - BITSAdmin BITS Download
technique: T1105
atomic_guid: a1921cd3-9a2d-47d5-a891-f1d0f2a7a31b