Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionhightest

Bitsadmin to Uncommon IP Server Address

Detects Bitsadmin connections to IP addresses instead of FQDN names

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
Florian Roth (Nextron Systems)Created Fri Jun 10Updated Wed Aug 248ccd35a2-1c7c-468b-b568-ac6cdf80eec3web
Log Source
Proxy Log
CategoryProxy Log← raw: proxy
Detection Logic
Detection Logic1 selector
detection:
    selection:
        c-useragent|startswith: 'Microsoft BITS/'
        cs-host|endswith:
            - '1'
            - '2'
            - '3'
            - '4'
            - '5'
            - '6'
            - '7'
            - '8'
            - '9'
    condition: selection
False Positives
Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References
1
Resolving title…
isc.sans.edu
MITRE ATT&CK
Rule Metadata
Rule ID
8ccd35a2-1c7c-468b-b568-ac6cdf80eec3
Status
test
Level
high
Type
Detection
Created
Fri Jun 10
Modified
Wed Aug 24
Author
Florian Roth (Nextron Systems)
Path
rules/web/proxy_generic/proxy_ua_bitsadmin_susp_ip.yml
Raw Tags
attack.command-and-controlattack.t1071.001attack.defense-evasionattack.persistenceattack.t1197attack.s0190
View on GitHub