← Back to Explore
sigmamediumHunting
File Download Via Bitsadmin
Detects usage of bitsadmin downloading a file
Detection Query
selection_img:
- Image|endswith: \bitsadmin.exe
- OriginalFileName: bitsadmin.exe
selection_cmd:
CommandLine|contains: " /transfer "
selection_cli_1:
CommandLine|contains:
- " /create "
- " /addfile "
selection_cli_2:
CommandLine|contains: http
condition: selection_img and (selection_cmd or all of selection_cli_*)
Author
Michael Haag, FPT.EagleEye
Created
2017-03-09
Data Sources
windowsProcess Creation Events
Platforms
windows
References
Tags
attack.defense-evasionattack.persistenceattack.t1197attack.s0190attack.t1036.003attack.command-and-controlattack.t1105
Raw Content
title: File Download Via Bitsadmin
id: d059842b-6b9d-4ed1-b5c3-5b89143c6ede
status: test
description: Detects usage of bitsadmin downloading a file
references:
- https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin
- https://isc.sans.edu/diary/22264
- https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/
author: Michael Haag, FPT.EagleEye
date: 2017-03-09
modified: 2023-02-15
tags:
- attack.defense-evasion
- attack.persistence
- attack.t1197
- attack.s0190
- attack.t1036.003
- attack.command-and-control
- attack.t1105
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\bitsadmin.exe'
- OriginalFileName: 'bitsadmin.exe'
selection_cmd:
CommandLine|contains: ' /transfer '
selection_cli_1:
CommandLine|contains:
- ' /create '
- ' /addfile '
selection_cli_2:
CommandLine|contains: 'http'
condition: selection_img and (selection_cmd or all of selection_cli_*)
falsepositives:
- Some legitimate apps use this, but limited.
level: medium
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_bitsadmin_download/info.yml
simulation:
- type: atomic-red-team
name: Windows - BITSAdmin BITS Download
technique: T1105
atomic_guid: a1921cd3-9a2d-47d5-a891-f1d0f2a7a31b