Detectionlowtest

New BITS Job Created Via Bitsadmin

Detects the creation of a new bits job by Bitsadmin

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

François HubautCreated Tue Mar 01Updated Mon Mar 271ff315dc-2a3a-4b71-8dde-873818d25d39windows

Log Source

Windowsbits-client

ProductWindows← raw: windows

Servicebits-client← raw: bits-client

Detection Logic

detection:
    selection:
        EventID: 3
        processPath|endswith: '\bitsadmin.exe'
    condition: selection

False Positives

Many legitimate applications or scripts could leverage "bitsadmin". This event is best correlated with EID 16403 via the JobID field

References

MITRE ATT&CK

Tactics

Techniques

Rule Metadata

Rule ID

1ff315dc-2a3a-4b71-8dde-873818d25d39

Status

test

Level

low

Type

Detection

Created

Tue Mar 01

Modified

Mon Mar 27

Author

Path

rules/windows/builtin/bits_client/win_bits_client_new_job_via_bitsadmin.yml

Raw Tags

attack.defense-evasionattack.persistenceattack.t1197