Tomasuh
b5d5a648b5
Change to endswith instead of startswith to avoid matching subdomains which starts with digits, example: 3.au.download.windowsupdate.com
34 lines
766 B
YAML
34 lines
766 B
YAML
title: Bitsadmin to Uncommon IP Server Address
|
|
id: 8ccd35a2-1c7c-468b-b568-ac6cdf80eec3
|
|
status: experimental
|
|
description: Detects Bitsadmin connections to IP addresses instead of FQDN names
|
|
author: Florian Roth
|
|
date: 2022/06/10
|
|
modified: 2022/08/24
|
|
logsource:
|
|
category: proxy
|
|
detection:
|
|
selection:
|
|
c-useragent|startswith: 'Microsoft BITS/'
|
|
cs-host|endswith:
|
|
- '1'
|
|
- '2'
|
|
- '3'
|
|
- '4'
|
|
- '5'
|
|
- '6'
|
|
- '7'
|
|
- '8'
|
|
- '9'
|
|
condition: selection
|
|
falsepositives:
|
|
- Unknown
|
|
level: high
|
|
tags:
|
|
- attack.command_and_control
|
|
- attack.t1071.001
|
|
- attack.defense_evasion
|
|
- attack.persistence
|
|
- attack.t1197
|
|
- attack.s0190
|