Detectionlowtest

New BITS Job Created Via PowerShell

Detects the creation of a new bits job by PowerShell

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

François HubautCreated Tue Mar 01Updated Mon Mar 27fe3a2d49-f255-4d10-935c-bda7391108ebwindows

Log Source

Windowsbits-client

ProductWindows← raw: windows

Servicebits-client← raw: bits-client

Detection Logic

detection:
    selection:
        EventID: 3
        processPath|endswith:
            - '\powershell.exe'
            - '\pwsh.exe'
    condition: selection

False Positives

Administrator PowerShell scripts

References

Resolving title…

github.com

MITRE ATT&CK

Tactics

TA0005 · Defense Evasion TA0003 · Persistence

Techniques

T1197 · BITS Jobs

Rule Metadata

Rule ID

fe3a2d49-f255-4d10-935c-bda7391108eb

Status

test

Level

low

Type

Detection

Created

Tue Mar 01

Modified

Mon Mar 27

Author

François Hubaut

Path

rules/windows/builtin/bits_client/win_bits_client_new_job_via_powershell.yml

Raw Tags

attack.defense-evasionattack.persistenceattack.t1197

View on GitHub