Detectionhightest
BITS Transfer Job Download From Direct IP
Detects a BITS transfer job downloading file(s) from a direct IP address.
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Nasreddine Bencherchali (Nextron Systems)Created Wed Jan 11Updated Mon Mar 2790f138c1-f578-4ac3-8c49-eecfd847c8b7windows
Log Source
Windowsbits-client
ProductWindows← raw: windows
Servicebits-client← raw: bits-client
Detection Logic
Detection Logic3 selectors
detection:
selection:
EventID: 16403
RemoteName|contains:
- 'http://1'
- 'http://2'
- 'http://3'
- 'http://4'
- 'http://5'
- 'http://6'
- 'http://7'
- 'http://8'
- 'http://9'
- 'https://1'
- 'https://2'
- 'https://3'
- 'https://4'
- 'https://5'
- 'https://6'
- 'https://7'
- 'https://8'
- 'https://9'
filter_optional_local_networks:
RemoteName|contains:
- '://10.' # 10.0.0.0/8
- '://192.168.' # 192.168.0.0/16
- '://172.16.' # 172.16.0.0/12
- '://172.17.'
- '://172.18.'
- '://172.19.'
- '://172.20.'
- '://172.21.'
- '://172.22.'
- '://172.23.'
- '://172.24.'
- '://172.25.'
- '://172.26.'
- '://172.27.'
- '://172.28.'
- '://172.29.'
- '://172.30.'
- '://172.31.'
- '://127.' # 127.0.0.0/8
- '://169.254.' # 169.254.0.0/16
filter_optional_seven_zip:
RemoteName|contains:
# For https://7-zip.org/
- 'https://7-'
- 'http://7-'
condition: selection and not 1 of filter_optional_*False Positives
Unknown
False positive likelihood has not been assessed. Additional context may be needed during triage.
MITRE ATT&CK
Techniques
Rule Metadata
Rule ID
90f138c1-f578-4ac3-8c49-eecfd847c8b7
Status
test
Level
high
Type
Detection
Created
Wed Jan 11
Modified
Mon Mar 27
Path
rules/windows/builtin/bits_client/win_bits_client_new_transfer_via_ip_address.yml
Raw Tags
attack.defense-evasionattack.persistenceattack.t1197