Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionhightest

Suspicious Download From Direct IP Via Bitsadmin

Detects usage of bitsadmin downloading a file using an URL that contains an IP

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
Florian Roth (Nextron Systems)Created Tue Jun 28Updated Wed Feb 1599c840f2-2012-46fd-9141-c761987550efwindows
Log Source
WindowsProcess Creation
ProductWindows← raw: windows
CategoryProcess Creation← raw: process_creation

Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.

Detection Logic
Detection Logic4 selectors
detection:
    selection_img:
        - Image|endswith: '\bitsadmin.exe'
        - OriginalFileName: 'bitsadmin.exe'
    selection_flags:
        CommandLine|contains:
            - ' /transfer '
            - ' /create '
            - ' /addfile '
    selection_extension:
        CommandLine|contains:
            - '://1'
            - '://2'
            - '://3'
            - '://4'
            - '://5'
            - '://6'
            - '://7'
            - '://8'
            - '://9'
    filter_seven_zip:
        CommandLine|contains: '://7-' # For https://7-zip.org/
    condition: all of selection_* and not 1 of filter_*
False Positives
Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References
1
Resolving title…
blog.netspi.com
2
Resolving title…
isc.sans.edu
3
Resolving title…
lolbas-project.github.io
4
Resolving title…
blog.talosintelligence.com
Testing & Validation

Regression Tests

by Swachchhanda Shrawan Poudel (Nextron Systems)
Positive Detection Test1 matchevtx

Microsoft-Windows-Sysmon

EVTX JSON
MITRE ATT&CK
Related Rules
SimilarDetectionhigh

BITS Transfer Job Download From Direct IP

Detects a BITS transfer job downloading file(s) from a direct IP address.

Detects similar activity. Both rules may fire on overlapping events.

Rule Metadata
Rule ID
99c840f2-2012-46fd-9141-c761987550ef
Status
test
Level
high
Type
Detection
Created
Tue Jun 28
Modified
Wed Feb 15
Author
Florian Roth (Nextron Systems)
Path
rules/windows/process_creation/proc_creation_win_bitsadmin_download_direct_ip.yml
Raw Tags
attack.defense-evasionattack.persistenceattack.t1197attack.s0190attack.t1036.003
View on GitHub