security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
e91fc4486e57fc40e30d12253694de4c80a9e4ea
blue-team-tools/rules/proxy/proxy_ua_bitsadmin_susp_tld.yml
T

33 lines
953 B
YAML
Raw Normal View History

Rule: Bitsadmin wot uncommon TLD
2019-03-08 16:20:10 +01:00
title: Bitsadmin to Uncommon TLD
Added UUIDs to rules
2019-11-12 23:12:27 +01:00
id: 9eb68894-7476-4cd6-8752-23b51f5883a7
Rule: Bitsadmin wot uncommon TLD
2019-03-08 16:20:10 +01:00
status: experimental
Added UUIDs to rules
2019-11-12 23:12:27 +01:00
description: Detects Bitsadmin connections to domains with uncommon TLDs - https://twitter.com/jhencinski/status/1102695118455349248 - https://isc.sans.edu/forums/diary/Investigating+Microsoft+BITS+Activity/23281/
Rule: Bitsadmin wot uncommon TLD
2019-03-08 16:20:10 +01:00
author: Florian Roth
date: 2019/03/07
Split PR 1802 fix net rules
2021-08-09 17:23:15 +02:00
modified: 2021/08/09
Rule: Bitsadmin wot uncommon TLD
2019-03-08 16:20:10 +01:00
logsource:
category: proxy
detection:
selection:
Split PR 1802 fix net rules
2021-08-09 17:23:15 +02:00
c-useragent|startswith: 'Microsoft BITS/'
Rule: Bitsadmin wot uncommon TLD
2019-03-08 16:20:10 +01:00
falsepositives:
Update proxy_ua_bitsadmin_susp_tld.yml
2020-10-15 23:26:08 -03:00
r-dns|endswith:
- '.com'
- '.net'
- '.org'
Rule: Bitsadmin wot uncommon TLD
2019-03-08 16:20:10 +01:00
condition: selection and not falsepositives
fields:
- ClientIP
Fixed proxy rule field names
2019-12-07 00:11:33 +01:00
- c-uri
- c-useragent
Rule: Bitsadmin wot uncommon TLD
2019-03-08 16:20:10 +01:00
falsepositives:
- Rare programs that use Bitsadmin and update from regional TLDs e.g. .uk or .ca
level: high
Second round
2020-09-15 07:02:30 -06:00
tags:
- attack.command_and_control
- attack.t1071.001
- attack.defense_evasion
- attack.persistence
- attack.t1197
Update proxy_ua_bitsadmin_susp_tld.yml
2020-10-15 23:26:08 -03:00
- attack.s0190
Reference in New Issue Copy Permalink