Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionmediumtest

BITS Transfer Job Downloading File Potential Suspicious Extension

Detects new BITS transfer job saving local files with potential suspicious extensions

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
François HubautCreated Tue Mar 01Updated Mon Mar 27b85e5894-9b19-4d86-8c87-a2f3b81f0521windows
Log Source
Windowsbits-client
ProductWindows← raw: windows
Servicebits-client← raw: bits-client
Detection Logic
Detection Logic2 selectors
detection:
    selection:
        EventID: 16403
        LocalName|endswith:
            # TODO: Extend this list with more interesting file extensions
            - '.bat'
            - '.dll'
            - '.exe' # TODO: Might wanna comment this if it generates tons of FPs
            - '.hta'
            - '.ps1'
            - '.psd1'
            - '.sh'
            - '.vbe'
            - '.vbs'
    filter_optional_generic:
        # Typical updates: Chrome, Dropbox etc.
        LocalName|contains: '\AppData\'
        RemoteName|contains: '.com'
    condition: selection and not 1 of filter_optional_*
False Positives

While the file extensions in question can be suspicious at times. It's best to add filters according to your environment to avoid large amount false positives

References
1
Resolving title…
github.com
MITRE ATT&CK
Rule Metadata
Rule ID
b85e5894-9b19-4d86-8c87-a2f3b81f0521
Status
test
Level
medium
Type
Detection
Created
Tue Mar 01
Modified
Mon Mar 27
Author
François Hubaut
Path
rules/windows/builtin/bits_client/win_bits_client_new_transfer_saving_susp_extensions.yml
Raw Tags
attack.defense-evasionattack.persistenceattack.t1197
View on GitHub