← Back to Explore
sigmamediumHunting
BITS Transfer Job Downloading File Potential Suspicious Extension
Detects new BITS transfer job saving local files with potential suspicious extensions
Detection Query
selection:
EventID: 16403
LocalName|endswith:
- .bat
- .dll
- .exe
- .hta
- .ps1
- .psd1
- .sh
- .vbe
- .vbs
filter_optional_generic:
LocalName|contains: \AppData\
RemoteName|contains: .com
condition: selection and not 1 of filter_optional_*
Author
frack113
Created
2022-03-01
Data Sources
windowsbits-client
Platforms
windows
Tags
attack.defense-evasionattack.persistenceattack.t1197
Raw Content
title: BITS Transfer Job Downloading File Potential Suspicious Extension
id: b85e5894-9b19-4d86-8c87-a2f3b81f0521
status: test
description: Detects new BITS transfer job saving local files with potential suspicious extensions
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1197/T1197.md
author: frack113
date: 2022-03-01
modified: 2023-03-27
tags:
- attack.defense-evasion
- attack.persistence
- attack.t1197
logsource:
product: windows
service: bits-client
detection:
selection:
EventID: 16403
LocalName|endswith:
# TODO: Extend this list with more interesting file extensions
- '.bat'
- '.dll'
- '.exe' # TODO: Might wanna comment this if it generates tons of FPs
- '.hta'
- '.ps1'
- '.psd1'
- '.sh'
- '.vbe'
- '.vbs'
filter_optional_generic:
# Typical updates: Chrome, Dropbox etc.
LocalName|contains: '\AppData\'
RemoteName|contains: '.com'
condition: selection and not 1 of filter_optional_*
falsepositives:
- While the file extensions in question can be suspicious at times. It's best to add filters according to your environment to avoid large amount false positives
level: medium