From bf4c2a508de3b1071400da70f88d2ebcefdae3bd Mon Sep 17 00:00:00 2001
From: yugoslavskiy <daniil@yugoslavskiy.com>
Date: Mon, 11 Nov 2019 22:06:57 +0300
Subject: [PATCH] Update win_powershell_bitsjob.yaml

---
 .../windows/process_creation/win_powershell_bitsjob.yaml | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/rules/windows/process_creation/win_powershell_bitsjob.yaml b/rules/windows/process_creation/win_powershell_bitsjob.yaml
index 2eb6db523..1bbba2098 100644
--- a/rules/windows/process_creation/win_powershell_bitsjob.yaml
+++ b/rules/windows/process_creation/win_powershell_bitsjob.yaml
@@ -1,10 +1,12 @@
 title: Suspicious Bitsadmin Job via PowerShell
 status: experimental
-description: Detect download of BITS jobs via PowerShell.
+description: Detect download by BITS jobs via PowerShell
 references:
     - https://eqllib.readthedocs.io/en/latest/analytics/ec5180c9-721a-460f-bddc-27539a284273.html
+    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1197/T1197.md
 author: Endgame, JHasenbusch (ported to sigma for oscd.community)
-date: 2018/30/11
+date: 2018/10/30
+modified: 2019/11/11
 tags:
     - attack.defense_evasion
     - attack.persistence
@@ -14,7 +16,8 @@ logsource:
     product: windows
 detection:
     selection:
-        CommandLine: '*powershell.exe *Start-BitsTransfer*'
+        Image|endswith: '\powershell.exe'
+        CommandLine|contains: 'Start-BitsTransfer'
     condition: selection
 falsepositives:
     - Unknown