Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionmediumtest

BITS Transfer Job With Uncommon Or Suspicious Remote TLD

Detects a suspicious download using the BITS client from a FQDN that is unusual. Adversaries may abuse BITS jobs to persistently execute or clean up after malicious payloads.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
Florian Roth (Nextron Systems)Created Fri Jun 10Updated Fri Feb 286d44fb93-e7d2-475c-9d3d-54c9c1e33427windows
Log Source
Windowsbits-client
ProductWindows← raw: windows
Servicebits-client← raw: bits-client
Detection Logic
Detection Logic2 selectors
detection:
    selection:
        EventID: 16403
    filter_main_generic:
        RemoteName|contains:
            - '.azureedge.net/'
            - '.com/'
            - '.sfx.ms/'
            - 'download.mozilla.org/' # https://download.mozilla.org/?product=firefox-101.0.1-partial-101.0&os=win64&lang=en-US
            - 'cdn.onenote.net/'
            - 'cdn.office.net/'
            - 'tscdn.m365.static.microsoft/'
    condition: selection and not 1 of filter_main_*
False Positives

This rule doesn't exclude other known TLDs such as ".org" or ".net". It's recommended to apply additional filters for software and scripts that leverage the BITS service

References
1
Resolving title…
github.com
2
Resolving title…
twitter.com
MITRE ATT&CK
Rule Metadata
Rule ID
6d44fb93-e7d2-475c-9d3d-54c9c1e33427
Status
test
Level
medium
Type
Detection
Created
Fri Jun 10
Modified
Fri Feb 28
Author
Florian Roth (Nextron Systems)
Path
rules/windows/builtin/bits_client/win_bits_client_new_transfer_via_uncommon_tld.yml
Raw Tags
attack.defense-evasionattack.persistenceattack.t1197
View on GitHub