EXPLORE
Sign In
← Back to Explore
sigmahighHunting

BITS Transfer Job Download From Direct IP

Detects a BITS transfer job downloading file(s) from a direct IP address.

MITRE ATT&CK

T1197
defense-evasionpersistence

Detection Query

selection:
  EventID: 16403
  RemoteName|contains:
    - http://1
    - http://2
    - http://3
    - http://4
    - http://5
    - http://6
    - http://7
    - http://8
    - http://9
    - https://1
    - https://2
    - https://3
    - https://4
    - https://5
    - https://6
    - https://7
    - https://8
    - https://9
filter_optional_local_networks:
  RemoteName|contains:
    - ://10.
    - ://192.168.
    - ://172.16.
    - ://172.17.
    - ://172.18.
    - ://172.19.
    - ://172.20.
    - ://172.21.
    - ://172.22.
    - ://172.23.
    - ://172.24.
    - ://172.25.
    - ://172.26.
    - ://172.27.
    - ://172.28.
    - ://172.29.
    - ://172.30.
    - ://172.31.
    - ://127.
    - ://169.254.
filter_optional_seven_zip:
  RemoteName|contains:
    - https://7-
    - http://7-
condition: selection and not 1 of filter_optional_*

Author

Nasreddine Bencherchali (Nextron Systems)

Created

2023-01-11

Data Sources

windowsbits-client

Platforms

windows

References

Tags

attack.defense-evasionattack.persistenceattack.t1197
Raw Content
title: BITS Transfer Job Download From Direct IP
id: 90f138c1-f578-4ac3-8c49-eecfd847c8b7
related:
    - id: 99c840f2-2012-46fd-9141-c761987550ef
      type: similar
status: test
description: Detects a BITS transfer job downloading file(s) from a direct IP address.
references:
    - https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin
    - https://isc.sans.edu/diary/22264
    - https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/
    - https://blog.talosintelligence.com/breaking-the-silence-recent-truebot-activity/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-01-11
modified: 2023-03-27
tags:
    - attack.defense-evasion
    - attack.persistence
    - attack.t1197
logsource:
    product: windows
    service: bits-client
detection:
    selection:
        EventID: 16403
        RemoteName|contains:
            - 'http://1'
            - 'http://2'
            - 'http://3'
            - 'http://4'
            - 'http://5'
            - 'http://6'
            - 'http://7'
            - 'http://8'
            - 'http://9'
            - 'https://1'
            - 'https://2'
            - 'https://3'
            - 'https://4'
            - 'https://5'
            - 'https://6'
            - 'https://7'
            - 'https://8'
            - 'https://9'
    filter_optional_local_networks:
        RemoteName|contains:
            - '://10.' # 10.0.0.0/8
            - '://192.168.' # 192.168.0.0/16
            - '://172.16.' # 172.16.0.0/12
            - '://172.17.'
            - '://172.18.'
            - '://172.19.'
            - '://172.20.'
            - '://172.21.'
            - '://172.22.'
            - '://172.23.'
            - '://172.24.'
            - '://172.25.'
            - '://172.26.'
            - '://172.27.'
            - '://172.28.'
            - '://172.29.'
            - '://172.30.'
            - '://172.31.'
            - '://127.' # 127.0.0.0/8
            - '://169.254.' # 169.254.0.0/16
    filter_optional_seven_zip:
        RemoteName|contains:
            # For https://7-zip.org/
            - 'https://7-'
            - 'http://7-'
    condition: selection and not 1 of filter_optional_*
falsepositives:
    - Unknown
level: high