rules/web/proxy_generic/proxy_ua_bitsadmin_susp_tld.yml

title: Bitsadmin to Uncommon TLD
id: 9eb68894-7476-4cd6-8752-23b51f5883a7
status: experimental
description: Detects Bitsadmin connections to domains with uncommon TLDs
references:
    - https://twitter.com/jhencinski/status/1102695118455349248
    - https://isc.sans.edu/forums/diary/Investigating+Microsoft+BITS+Activity/23281/
author: Florian Roth (Nextron Systems), Tim Shelton
date: 2019/03/07
modified: 2022/08/16
tags:
    - attack.command_and_control
    - attack.t1071.001
    - attack.defense_evasion
    - attack.persistence
    - attack.t1197
    - attack.s0190
logsource:
    category: proxy
detection:
    selection:
        c-useragent|startswith: 'Microsoft BITS/'
    falsepositives:
        r-dns|endswith:
            - '.com'
            - '.net'
            - '.org'
            - '.scdn.co' # spotify streaming
            - '.sfx.ms' # Microsoft domain, example request: https://oneclient.sfx.ms/PreSignInSettings/Prod/2022-08-15-21-xx-xx/PreSignInSettingsConfig.json
    condition: selection and not falsepositives
fields:
    - ClientIP
    - c-uri
    - c-useragent
falsepositives:
    - Rare programs that use Bitsadmin and update from regional TLDs e.g. .uk or .ca
level: high
Rule: Bitsadmin wot uncommon TLD 2019-03-08 16:20:10 +01:00			`title: Bitsadmin to Uncommon TLD`
Added UUIDs to rules 2019-11-12 23:12:27 +01:00			`id: 9eb68894-7476-4cd6-8752-23b51f5883a7`
Rule: Bitsadmin wot uncommon TLD 2019-03-08 16:20:10 +01:00			`status: experimental`
fix: fix broken description 2022-11-29 23:43:03 +01:00			`description: Detects Bitsadmin connections to domains with uncommon TLDs`
			`references:`
			`- https://twitter.com/jhencinski/status/1102695118455349248`
			`- https://isc.sans.edu/forums/diary/Investigating+Microsoft+BITS+Activity/23281/`
chore: add nextron authors tag 2023-02-01 11:14:59 +01:00			`author: Florian Roth (Nextron Systems), Tim Shelton`
Rule: Bitsadmin wot uncommon TLD 2019-03-08 16:20:10 +01:00			`date: 2019/03/07`
proxy_ua_bitsadmin_susp_tld.yml fp filter 2022-08-16 16:14:08 +02:00			`modified: 2022/08/16`
$frack113$ Order yaml field 2022-10-25 10:08:58 +02:00			`tags:`
			`- attack.command_and_control`
			`- attack.t1071.001`
			`- attack.defense_evasion`
			`- attack.persistence`
			`- attack.t1197`
			`- attack.s0190`
Rule: Bitsadmin wot uncommon TLD 2019-03-08 16:20:10 +01:00			`logsource:`
			`category: proxy`
			`detection:`
			`selection:`
$frack113$ Split PR 1802 fix net rules 2021-08-09 17:23:15 +02:00			`c-useragent\|startswith: 'Microsoft BITS/'`
Rule: Bitsadmin wot uncommon TLD 2019-03-08 16:20:10 +01:00			`falsepositives:`
Update proxy_ua_bitsadmin_susp_tld.yml 2020-10-15 23:26:08 -03:00			`r-dns\|endswith:`
$frack113$ Order yaml field 2022-10-25 10:08:58 +02:00			`- '.com'`
			`- '.net'`
			`- '.org'`
Adds allow for spotify streaming, which uses this service 2022-05-09 20:38:25 +00:00			`- '.scdn.co' # spotify streaming`
proxy_ua_bitsadmin_susp_tld.yml fp filter 2022-08-16 16:14:08 +02:00			`- '.sfx.ms' # Microsoft domain, example request: https://oneclient.sfx.ms/PreSignInSettings/Prod/2022-08-15-21-xx-xx/PreSignInSettingsConfig.json`
Rule: Bitsadmin wot uncommon TLD 2019-03-08 16:20:10 +01:00			`condition: selection and not falsepositives`
			`fields:`
			`- ClientIP`
Fixed proxy rule field names 2019-12-07 00:11:33 +01:00			`- c-uri`
			`- c-useragent`
Rule: Bitsadmin wot uncommon TLD 2019-03-08 16:20:10 +01:00			`falsepositives:`
			`- Rare programs that use Bitsadmin and update from regional TLDs e.g. .uk or .ca`
			`level: high`