rules/windows/process_creation/proc_creation_win_bitsadmin_download.yml

title: Bitsadmin Download
id: d059842b-6b9d-4ed1-b5c3-5b89143c6ede
status: experimental
description: Detects usage of bitsadmin downloading a file
references:
    - https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin
    - https://isc.sans.edu/diary/22264
    - https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/
tags:
    - attack.defense_evasion
    - attack.persistence
    - attack.t1197
    - attack.s0190
    - attack.t1036.003    
date: 2017/03/09
modified: 2021/07/16
author: Michael Haag, FPT.EagleEye 
logsource:
    category: process_creation
    product: windows
detection:
    selection1:
        Image|endswith:
            - '\bitsadmin.exe'
    susp_flag_1:
        CommandLine|contains:
            - ' /transfer '
    susp_flag_2:
        CommandLine|contains:
            - ' /create '
            - ' /addfile '
    http_flag:
        CommandLine|contains:
            - 'http'
    selection2:
        CommandLine|contains:
            - 'copy bitsadmin.exe'
    condition: (selection1 and susp_flag_2 and http_flag) or (selection1 and susp_flag_1) or selection2
fields:
    - CommandLine
    - ParentCommandLine
falsepositives:
    - Some legitimate apps use this, but limited.
level: medium
Massive Title Cleanup 2018-01-27 10:57:30 +01:00			`title: Bitsadmin Download`
Added UUIDs to rules 2019-11-12 23:12:27 +01:00			`id: d059842b-6b9d-4ed1-b5c3-5b89143c6ede`
bitsadmin & VSSAdmin 2017-03-08 22:49:35 -08:00			`status: experimental`
			`description: Detects usage of bitsadmin downloading a file`
Change All "str" references to be "list"to mach schema update 2018-01-28 02:24:16 +03:00			`references:`
Added UUIDs to rules 2019-11-12 23:12:27 +01:00			`- https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin`
			`- https://isc.sans.edu/diary/22264`
More suspicious flag fot bitsadmin execution 2021-07-16 16:40:00 +07:00			`- https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/`
Further ATT&CK tagging 2018-07-19 23:36:13 +02:00			`tags:`
Added UUIDs to rules 2019-11-12 23:12:27 +01:00			`- attack.defense_evasion`
			`- attack.persistence`
			`- attack.t1197`
			`- attack.s0190`
att&ck tags review: windows/process_creation part 5 2020-09-07 02:00:41 +04:00			`- attack.t1036.003`
rule: fixed and extended bitsadmin rule 2019-12-06 13:39:04 +01:00			`date: 2017/03/09`
More suspicious flag fot bitsadmin execution 2021-07-16 16:40:00 +07:00			`modified: 2021/07/16`
fix: bug in author field (cannot be a list) 2021-07-27 10:14:53 +02:00			`author: Michael Haag, FPT.EagleEye`
bitsadmin & VSSAdmin 2017-03-08 22:49:35 -08:00			`logsource:`
Added UUIDs to rules 2019-11-12 23:12:27 +01:00			`category: process_creation`
			`product: windows`
bitsadmin & VSSAdmin 2017-03-08 22:49:35 -08:00			`detection:`
rule: fixed and extended bitsadmin rule 2019-12-06 13:39:04 +01:00			`selection1:`
Update win_process_creation_bitsadmin_download.yml 2020-10-15 18:23:29 -03:00			`Image\|endswith:`
			`- '\bitsadmin.exe'`
More suspicious flag fot bitsadmin execution 2021-07-16 16:40:00 +07:00			`susp_flag_1:`
Update win_process_creation_bitsadmin_download.yml 2020-10-15 18:23:29 -03:00			`CommandLine\|contains:`
			`- ' /transfer '`
More suspicious flag fot bitsadmin execution 2021-07-16 16:40:00 +07:00			`susp_flag_2:`
			`CommandLine\|contains:`
			`- ' /create '`
			`- ' /addfile '`
			`http_flag:`
			`CommandLine\|contains:`
			`- 'http'`
rule: fixed and extended bitsadmin rule 2019-12-06 13:39:04 +01:00			`selection2:`
Update win_process_creation_bitsadmin_download.yml 2020-10-15 18:23:29 -03:00			`CommandLine\|contains:`
			`- 'copy bitsadmin.exe'`
More suspicious flag fot bitsadmin execution 2021-07-16 16:40:00 +07:00			`condition: (selection1 and susp_flag_2 and http_flag) or (selection1 and susp_flag_1) or selection2`
Added field names to first rules 2017-09-12 23:54:04 +02:00			`fields:`
Added UUIDs to rules 2019-11-12 23:12:27 +01:00			`- CommandLine`
			`- ParentCommandLine`
bitsadmin & VSSAdmin 2017-03-08 22:49:35 -08:00			`falsepositives:`
Added UUIDs to rules 2019-11-12 23:12:27 +01:00			`- Some legitimate apps use this, but limited.`
bitsadmin & VSSAdmin 2017-03-08 22:49:35 -08:00			`level: medium`