Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionhightest

Bitsadmin to Uncommon TLD

Detects Bitsadmin connections to domains with uncommon TLDs

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
Florian Roth (Nextron Systems), Tim SheltonCreated Thu Mar 07Updated Wed May 179eb68894-7476-4cd6-8752-23b51f5883a7web
Log Source
Proxy Log
CategoryProxy Log← raw: proxy
Detection Logic
Detection Logic2 selectors
detection:
    selection:
        c-useragent|startswith: 'Microsoft BITS/'
    falsepositives:
        cs-host|endswith:
            - '.com'
            - '.net'
            - '.org'
            - '.scdn.co' # spotify streaming
            - '.sfx.ms' # Microsoft domain, example request: https://oneclient.sfx.ms/PreSignInSettings/Prod/2022-08-15-21-xx-xx/PreSignInSettingsConfig.json
    condition: selection and not falsepositives
False Positives

Rare programs that use Bitsadmin and update from regional TLDs e.g. .uk or .ca

References
1
Resolving title…
twitter.com
2
Resolving title…
isc.sans.edu
MITRE ATT&CK
Rule Metadata
Rule ID
9eb68894-7476-4cd6-8752-23b51f5883a7
Status
test
Level
high
Type
Detection
Created
Thu Mar 07
Modified
Wed May 17
Author
Florian Roth (Nextron Systems), Tim Shelton
Path
rules/web/proxy_generic/proxy_ua_bitsadmin_susp_tld.yml
Raw Tags
attack.command-and-controlattack.t1071.001attack.defense-evasionattack.persistenceattack.t1197attack.s0190
View on GitHub