Sigma detection rules

Home/Sigma rules

Sigma

15 rules indexed · SIEM-agnostic detection content

Sigma is the open generic signature format for SIEM systems. Each rule below converts to native syntax for Splunk, Elastic, Sentinel, and other SIEMs. Expand any rule to see its raw YAML.

Severity critical high medium low all severities

◈

Detection rules

15 shown of 15

high

BITS Transfer Job Download From Direct IP

Detects a BITS transfer job downloading file(s) from a direct IP address.

status test author Nasreddine Bencherchali (Nextron Systems) id 90f138c1-f578-4ac3-8c49-eecfd847c8b7

view Sigma YAML

title: BITS Transfer Job Download From Direct IP
id: 90f138c1-f578-4ac3-8c49-eecfd847c8b7
related:
    - id: 99c840f2-2012-46fd-9141-c761987550ef
      type: similar
status: test
description: Detects a BITS transfer job downloading file(s) from a direct IP address.
references:
    - https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin
    - https://isc.sans.edu/diary/22264
    - https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/
    - https://blog.talosintelligence.com/breaking-the-silence-recent-truebot-activity/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-01-11
modified: 2023-03-27
tags:
    - attack.persistence
    - attack.execution
    - attack.stealth
    - attack.t1197
logsource:
    product: windows
    service: bits-client
detection:
    selection:
        EventID: 16403
        RemoteName|contains:
            - 'http://1'
            - 'http://2'
            - 'http://3'
            - 'http://4'
            - 'http://5'
            - 'http://6'
            - 'http://7'
            - 'http://8'
            - 'http://9'
            - 'https://1'
            - 'https://2'
            - 'https://3'
            - 'https://4'
            - 'https://5'
            - 'https://6'
            - 'https://7'
            - 'https://8'
            - 'https://9'
    filter_optional_local_networks:
        RemoteName|contains:
            - '://10.' # 10.0.0.0/8
            - '://192.168.' # 192.168.0.0/16
            - '://172.16.' # 172.16.0.0/12
            - '://172.17.'
            - '://172.18.'
            - '://172.19.'
            - '://172.20.'
            - '://172.21.'
            - '://172.22.'
            - '://172.23.'
            - '://172.24.'
            - '://172.25.'
            - '://172.26.'
            - '://172.27.'
            - '://172.28.'
            - '://172.29.'
            - '://172.30.'
            - '://172.31.'
            - '://127.' # 127.0.0.0/8
            - '://169.254.' # 169.254.0.0/16
    filter_optional_seven_zip:
        RemoteName|contains:
            # For https://7-zip.org/
            - 'https://7-'
            - 'http://7-'
    condition: selection and not 1 of filter_optional_*
falsepositives:
    - Unknown
level: high

high

BITS Transfer Job Download From File Sharing Domains

Detects BITS transfer job downloading files from a file sharing domain.

status test author Florian Roth (Nextron Systems) id d635249d-86b5-4dad-a8c7-d7272b788586

view Sigma YAML

title: BITS Transfer Job Download From File Sharing Domains
id: d635249d-86b5-4dad-a8c7-d7272b788586
status: test
description: Detects BITS transfer job downloading files from a file sharing domain.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1197/T1197.md
    - https://twitter.com/malmoeb/status/1535142803075960832
    - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker
    - https://www.microsoft.com/en-us/security/blog/2024/01/17/new-ttps-observed-in-mint-sandstorm-campaign-targeting-high-profile-individuals-at-universities-and-research-orgs/
author: Florian Roth (Nextron Systems)
date: 2022-06-28
modified: 2025-12-10
tags:
    - attack.persistence
    - attack.execution
    - attack.stealth
    - attack.t1197
logsource:
    product: windows
    service: bits-client
detection:
    selection:
        EventID: 16403
        RemoteName|contains:
            - '.githubusercontent.com'       # Includes both gists and github repositories / Michael Haag (idea)
            - 'anonfiles.com'
            - 'cdn.discordapp.com'
            - 'ddns.net'
            - 'dl.dropboxusercontent.com'
            - 'ghostbin.co'
            - 'github.com'
            - 'glitch.me'
            - 'gofile.io'
            - 'hastebin.com'
            - 'mediafire.com'
            - 'mega.nz'
            - 'onrender.com'
            - 'pages.dev'
            - 'paste.ee'
            - 'pastebin.com'
            - 'pastebin.pl'
            - 'pastetext.net'
            - 'pixeldrain.com'
            - 'privatlab.com'
            - 'privatlab.net'
            - 'send.exploit.in'
            - 'sendspace.com'
            - 'storage.googleapis.com'
            - 'storjshare.io'
            - 'supabase.co'
            - 'temp.sh'
            - 'transfer.sh'
            - 'trycloudflare.com'
            - 'ufile.io'
            - 'w3spaces.com'
            - 'workers.dev'
    condition: selection
falsepositives:
    - Unknown
level: high

high

BITS Transfer Job Download To Potential Suspicious Folder

Detects new BITS transfer job where the LocalName/Saved file is stored in a potentially suspicious location

status test author Florian Roth (Nextron Systems) id f8a56cb7-a363-44ed-a82f-5926bb44cd05

view Sigma YAML

title: BITS Transfer Job Download To Potential Suspicious Folder
id: f8a56cb7-a363-44ed-a82f-5926bb44cd05
status: test
description: Detects new BITS transfer job where the LocalName/Saved file is stored in a potentially suspicious location
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1197/T1197.md
author: Florian Roth (Nextron Systems)
date: 2022-06-28
modified: 2023-03-27
tags:
    - attack.persistence
    - attack.execution
    - attack.stealth
    - attack.t1197
logsource:
    product: windows
    service: bits-client
detection:
    selection:
        EventID: 16403
        LocalName|contains:
            # TODO: Add more interesting suspicious paths
            - '\Desktop\'
            - 'C:\Users\Public\'
            - 'C:\PerfLogs\'
    condition: selection
falsepositives:
    - Unknown
level: high

high

Bitsadmin to Uncommon IP Server Address

Detects Bitsadmin connections to IP addresses instead of FQDN names

status test author Florian Roth (Nextron Systems) id 8ccd35a2-1c7c-468b-b568-ac6cdf80eec3

view Sigma YAML

title: Bitsadmin to Uncommon IP Server Address
id: 8ccd35a2-1c7c-468b-b568-ac6cdf80eec3
status: test
description: Detects Bitsadmin connections to IP addresses instead of FQDN names
references:
    - https://isc.sans.edu/diary/Microsoft+BITS+Used+to+Download+Payloads/21027
author: Florian Roth (Nextron Systems)
date: 2022-06-10
modified: 2022-08-24
tags:
    - attack.command-and-control
    - attack.execution
    - attack.stealth
    - attack.t1071.001
    - attack.persistence
    - attack.t1197
    - attack.s0190
logsource:
    category: proxy
detection:
    selection:
        c-useragent|startswith: 'Microsoft BITS/'
        cs-host|endswith:
            - '1'
            - '2'
            - '3'
            - '4'
            - '5'
            - '6'
            - '7'
            - '8'
            - '9'
    condition: selection
falsepositives:
    - Unknown
level: high

high

Bitsadmin to Uncommon TLD

Detects Bitsadmin connections to domains with uncommon TLDs

status test author Florian Roth (Nextron Systems), Tim Shelton id 9eb68894-7476-4cd6-8752-23b51f5883a7

view Sigma YAML

title: Bitsadmin to Uncommon TLD
id: 9eb68894-7476-4cd6-8752-23b51f5883a7
status: test
description: Detects Bitsadmin connections to domains with uncommon TLDs
references:
    - https://twitter.com/jhencinski/status/1102695118455349248
    - https://isc.sans.edu/forums/diary/Investigating+Microsoft+BITS+Activity/23281/
author: Florian Roth (Nextron Systems), Tim Shelton
date: 2019-03-07
modified: 2023-05-17
tags:
    - attack.command-and-control
    - attack.execution
    - attack.stealth
    - attack.t1071.001
    - attack.persistence
    - attack.t1197
    - attack.s0190
logsource:
    category: proxy
detection:
    selection:
        c-useragent|startswith: 'Microsoft BITS/'
    falsepositives:
        cs-host|endswith:
            - '.com'
            - '.net'
            - '.org'
            - '.scdn.co' # spotify streaming
            - '.sfx.ms' # Microsoft domain, example request: https://oneclient.sfx.ms/PreSignInSettings/Prod/2022-08-15-21-xx-xx/PreSignInSettingsConfig.json
    condition: selection and not falsepositives
falsepositives:
    - Rare programs that use Bitsadmin and update from regional TLDs e.g. .uk or .ca
level: high

high

File Download Via Bitsadmin To A Suspicious Target Folder

Detects usage of bitsadmin downloading a file to a suspicious target folder

status test author Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) id 2ddef153-167b-4e89-86b6-757a9e65dcac

view Sigma YAML

title: File Download Via Bitsadmin To A Suspicious Target Folder
id: 2ddef153-167b-4e89-86b6-757a9e65dcac
related:
    - id: 6e30c82f-a9f8-4aab-b79c-7c12bce6f248
      type: obsolete
    - id: 1cf465a1-2609-4c15-9b66-c32dbe4bfd67
      type: similar
status: test
description: Detects usage of bitsadmin downloading a file to a suspicious target folder
references:
    - https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin
    - https://isc.sans.edu/diary/22264
    - https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/
    - https://blog.talosintelligence.com/breaking-the-silence-recent-truebot-activity/
author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
date: 2022-06-28
modified: 2025-12-10
tags:
    - attack.persistence
    - attack.execution
    - attack.stealth
    - attack.t1197
    - attack.s0190
    - attack.t1036.003
    - attack.command-and-control
    - attack.t1105
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\bitsadmin.exe'
        - OriginalFileName: 'bitsadmin.exe'
    selection_flags:
        CommandLine|contains:
            - ' /transfer '
            - ' /create '
            - ' /addfile '
    selection_folder:
        CommandLine|contains:
            - ':\Perflogs'
            - ':\ProgramData\'
            - ':\Temp\'
            - ':\Users\Public\'
            - ':\Windows\'
            - '\$Recycle.Bin\'
            - '\AppData\Local\'
            - '\AppData\Roaming\'
            - '\Contacts\'
            - '\Desktop\'
            - '\Favorites\'
            - '\Favourites\'
            - '\inetpub\wwwroot\'
            - '\Music\'
            - '\Pictures\'
            - '\Start Menu\Programs\Startup\'
            - '\Users\Default\'
            - '\Videos\'
            - '%ProgramData%'
            - '%public%'
            - '%temp%'
            - '%tmp%'
    condition: all of selection_*
falsepositives:
    - Unknown
level: high
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_bitsadmin_download_susp_targetfolder/info.yml
simulation:
    - type: atomic-red-team
      name: Windows - BITSAdmin BITS Download
      technique: T1105
      atomic_guid: a1921cd3-9a2d-47d5-a891-f1d0f2a7a31b

high

File With Suspicious Extension Downloaded Via Bitsadmin

Detects usage of bitsadmin downloading a file with a suspicious extension

status test author Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) id 5b80a791-ad9b-4b75-bcc1-ad4e1e89c200

view Sigma YAML

title: File With Suspicious Extension Downloaded Via Bitsadmin
id: 5b80a791-ad9b-4b75-bcc1-ad4e1e89c200
status: test
description: Detects usage of bitsadmin downloading a file with a suspicious extension
references:
    - https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin
    - https://isc.sans.edu/diary/22264
    - https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/
author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
date: 2022-06-28
modified: 2023-05-30
tags:
    - attack.persistence
    - attack.execution
    - attack.stealth
    - attack.t1197
    - attack.s0190
    - attack.t1036.003
    - attack.command-and-control
    - attack.t1105
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\bitsadmin.exe'
        - OriginalFileName: 'bitsadmin.exe'
    selection_flags:
        CommandLine|contains:
            - ' /transfer '
            - ' /create '
            - ' /addfile '
    selection_extension:
        CommandLine|contains:
            - '.7z'
            - '.asax'
            - '.ashx'
            - '.asmx'
            - '.asp'
            - '.aspx'
            - '.bat'
            - '.cfm'
            - '.cgi'
            - '.chm'
            - '.cmd'
            - '.dll'
            - '.gif'
            - '.jpeg'
            - '.jpg'
            - '.jsp'
            - '.jspx'
            - '.log'
            - '.png'
            - '.ps1'
            - '.psm1'
            - '.rar'
            - '.scf'
            - '.sct'
            - '.txt'
            - '.vbe'
            - '.vbs'
            - '.war'
            - '.wsf'
            - '.wsh'
            - '.xll'
            - '.zip'
    condition: all of selection_*
falsepositives:
    - Unknown
level: high
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_bitsadmin_download_susp_extensions/info.yml
simulation:
    - type: atomic-red-team
      name: Windows - BITSAdmin BITS Download
      technique: T1105
      atomic_guid: a1921cd3-9a2d-47d5-a891-f1d0f2a7a31b

high

Suspicious Download From Direct IP Via Bitsadmin

Detects usage of bitsadmin downloading a file using an URL that contains an IP

status test author Florian Roth (Nextron Systems) id 99c840f2-2012-46fd-9141-c761987550ef

view Sigma YAML

title: Suspicious Download From Direct IP Via Bitsadmin
id: 99c840f2-2012-46fd-9141-c761987550ef
related:
    - id: 90f138c1-f578-4ac3-8c49-eecfd847c8b7
      type: similar
status: test
description: Detects usage of bitsadmin downloading a file using an URL that contains an IP
references:
    - https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin
    - https://isc.sans.edu/diary/22264
    - https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/
    - https://blog.talosintelligence.com/breaking-the-silence-recent-truebot-activity/
author: Florian Roth (Nextron Systems)
date: 2022-06-28
modified: 2023-02-15
tags:
    - attack.persistence
    - attack.execution
    - attack.stealth
    - attack.t1197
    - attack.s0190
    - attack.t1036.003
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\bitsadmin.exe'
        - OriginalFileName: 'bitsadmin.exe'
    selection_flags:
        CommandLine|contains:
            - ' /transfer '
            - ' /create '
            - ' /addfile '
    selection_extension:
        CommandLine|contains:
            - '://1'
            - '://2'
            - '://3'
            - '://4'
            - '://5'
            - '://6'
            - '://7'
            - '://8'
            - '://9'
    filter_seven_zip:
        CommandLine|contains: '://7-' # For https://7-zip.org/
    condition: all of selection_* and not 1 of filter_*
falsepositives:
    - Unknown
level: high
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_bitsadmin_download_direct_ip/info.yml

high

Suspicious Download From File-Sharing Website Via Bitsadmin

Detects usage of bitsadmin downloading a file from a suspicious domain

status test author Florian Roth (Nextron Systems) id 8518ed3d-f7c9-4601-a26c-f361a4256a0c

view Sigma YAML

title: Suspicious Download From File-Sharing Website Via Bitsadmin
id: 8518ed3d-f7c9-4601-a26c-f361a4256a0c
status: test
description: Detects usage of bitsadmin downloading a file from a suspicious domain
references:
    - https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin
    - https://isc.sans.edu/diary/22264
    - https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/
    - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker
    - https://www.cisa.gov/uscert/ncas/alerts/aa22-321a
    - https://www.microsoft.com/en-us/security/blog/2024/01/17/new-ttps-observed-in-mint-sandstorm-campaign-targeting-high-profile-individuals-at-universities-and-research-orgs/
author: Florian Roth (Nextron Systems)
date: 2022-06-28
modified: 2025-12-10
tags:
    - attack.persistence
    - attack.execution
    - attack.stealth
    - attack.t1197
    - attack.s0190
    - attack.t1036.003
    - attack.command-and-control
    - attack.t1105
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\bitsadmin.exe'
        - OriginalFileName: 'bitsadmin.exe'
    selection_flags:
        CommandLine|contains:
            - ' /transfer '
            - ' /create '
            - ' /addfile '
    selection_domain:
        CommandLine|contains:
            - '.githubusercontent.com'       # Includes both gists and github repositories / Michael Haag (idea)
            - 'anonfiles.com'
            - 'cdn.discordapp.com'
            - 'ddns.net'
            - 'dl.dropboxusercontent.com'
            - 'ghostbin.co'
            - 'github.com' # bitsadmin /transfer n https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1047/bin/calc.dll %PUBLIC%\calc.dll
            - 'glitch.me'
            - 'gofile.io'
            - 'hastebin.com'
            - 'mediafire.com'
            - 'mega.nz'
            - 'onrender.com'
            - 'pages.dev'
            - 'paste.ee'
            - 'pastebin.com'
            - 'pastebin.pl'
            - 'pastetext.net'
            - 'privatlab.com'
            - 'privatlab.net'
            - 'send.exploit.in'
            - 'sendspace.com'
            - 'storage.googleapis.com'
            - 'storjshare.io'
            - 'supabase.co'
            - 'temp.sh'
            - 'transfer.sh'
            - 'trycloudflare.com'
            - 'ufile.io'
            - 'w3spaces.com'
            - 'workers.dev'
    condition: all of selection_*
falsepositives:
    - Some legitimate apps use this, but limited.
level: high
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_bitsadmin_download_file_sharing_domains/info.yml
simulation:
    - type: atomic-red-team
      name: Windows - BITSAdmin BITS Download
      technique: T1105
      atomic_guid: a1921cd3-9a2d-47d5-a891-f1d0f2a7a31b

medium

BITS Transfer Job Downloading File Potential Suspicious Extension

Detects new BITS transfer job saving local files with potential suspicious extensions

status test author frack113 id b85e5894-9b19-4d86-8c87-a2f3b81f0521

view Sigma YAML

title: BITS Transfer Job Downloading File Potential Suspicious Extension
id: b85e5894-9b19-4d86-8c87-a2f3b81f0521
status: test
description: Detects new BITS transfer job saving local files with potential suspicious extensions
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1197/T1197.md
author: frack113
date: 2022-03-01
modified: 2023-03-27
tags:
    - attack.persistence
    - attack.execution
    - attack.stealth
    - attack.t1197
logsource:
    product: windows
    service: bits-client
detection:
    selection:
        EventID: 16403
        LocalName|endswith:
            # TODO: Extend this list with more interesting file extensions
            - '.bat'
            - '.dll'
            - '.exe' # TODO: Might wanna comment this if it generates tons of FPs
            - '.hta'
            - '.ps1'
            - '.psd1'
            - '.sh'
            - '.vbe'
            - '.vbs'
    filter_optional_generic:
        # Typical updates: Chrome, Dropbox etc.
        LocalName|contains: '\AppData\'
        RemoteName|contains: '.com'
    condition: selection and not 1 of filter_optional_*
falsepositives:
    - While the file extensions in question can be suspicious at times. It's best to add filters according to your environment to avoid large amount false positives
level: medium

medium

BITS Transfer Job With Uncommon Or Suspicious Remote TLD

Detects a suspicious download using the BITS client from a FQDN that is unusual. Adversaries may abuse BITS jobs to persistently execute or clean up after malicious payloads.

status test author Florian Roth (Nextron Systems) id 6d44fb93-e7d2-475c-9d3d-54c9c1e33427

view Sigma YAML

title: BITS Transfer Job With Uncommon Or Suspicious Remote TLD
id: 6d44fb93-e7d2-475c-9d3d-54c9c1e33427
status: test
description: Detects a suspicious download using the BITS client from a FQDN that is unusual. Adversaries may abuse BITS jobs to persistently execute or clean up after malicious payloads.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1197/T1197.md
    - https://twitter.com/malmoeb/status/1535142803075960832
author: Florian Roth (Nextron Systems)
date: 2022-06-10
modified: 2025-02-28
tags:
    - attack.persistence
    - attack.execution
    - attack.stealth
    - attack.t1197
logsource:
    product: windows
    service: bits-client
detection:
    selection:
        EventID: 16403
    filter_main_generic:
        RemoteName|contains:
            - '.azureedge.net/'
            - '.com/'
            - '.sfx.ms/'
            - 'download.mozilla.org/' # https://download.mozilla.org/?product=firefox-101.0.1-partial-101.0&amp;os=win64&amp;lang=en-US
            - 'cdn.onenote.net/'
            - 'cdn.office.net/'
            - 'tscdn.m365.static.microsoft/'
    condition: selection and not 1 of filter_main_*
falsepositives:
    - This rule doesn't exclude other known TLDs such as ".org" or ".net". It's recommended to apply additional filters for software and scripts that leverage the BITS service
level: medium

medium

File Download Via Bitsadmin

Detects usage of bitsadmin downloading a file

status test author Michael Haag, FPT.EagleEye id d059842b-6b9d-4ed1-b5c3-5b89143c6ede

view Sigma YAML

title: File Download Via Bitsadmin
id: d059842b-6b9d-4ed1-b5c3-5b89143c6ede
status: test
description: Detects usage of bitsadmin downloading a file
references:
    - https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin
    - https://isc.sans.edu/diary/22264
    - https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/
author: Michael Haag, FPT.EagleEye
date: 2017-03-09
modified: 2023-02-15
tags:
    - attack.persistence
    - attack.execution
    - attack.stealth
    - attack.t1197
    - attack.s0190
    - attack.t1036.003
    - attack.command-and-control
    - attack.t1105
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\bitsadmin.exe'
        - OriginalFileName: 'bitsadmin.exe'
    selection_cmd:
        CommandLine|contains: ' /transfer '
    selection_cli_1:
        CommandLine|contains:
            - ' /create '
            - ' /addfile '
    selection_cli_2:
        CommandLine|contains: 'http'
    condition: selection_img and (selection_cmd or all of selection_cli_*)
falsepositives:
    - Some legitimate apps use this, but limited.
level: medium
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_bitsadmin_download/info.yml
simulation:
    - type: atomic-red-team
      name: Windows - BITSAdmin BITS Download
      technique: T1105
      atomic_guid: a1921cd3-9a2d-47d5-a891-f1d0f2a7a31b

medium

Monitoring For Persistence Via BITS

BITS will allow you to schedule a command to execute after a successful download to notify you that the job is finished. When the job runs on the system the command specified in the BITS job will be executed. This can be abused by actors to create a backdoor within the system and for persistence. It will be chained in a BITS job to schedule the download of malware/additional binaries and execute the program after being downloaded.

status test author Sreeman id b9cbbc17-d00d-4e3d-a827-b06d03d2380d

view Sigma YAML

title: Monitoring For Persistence Via BITS
id: b9cbbc17-d00d-4e3d-a827-b06d03d2380d
status: test
description: |
    BITS will allow you to schedule a command to execute after a successful download to notify you that the job is finished.
    When the job runs on the system the command specified in the BITS job will be executed.
    This can be abused by actors to create a backdoor within the system and for persistence.
    It will be chained in a BITS job to schedule the download of malware/additional binaries and execute the program after being downloaded.
references:
    - https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html
    - http://0xthem.blogspot.com/2014/03/t-emporal-persistence-with-and-schtasks.html
    - https://isc.sans.edu/diary/Wipe+the+drive+Stealthy+Malware+Persistence+Mechanism+-+Part+1/15394
author: Sreeman
date: 2020-10-29
modified: 2024-01-25
tags:
    - attack.persistence
    - attack.execution
    - attack.stealth
    - attack.t1197
logsource:
    product: windows
    category: process_creation
detection:
    selection_img:
        - Image|endswith: '\bitsadmin.exe'
        - OriginalFileName: 'bitsadmin.exe'
    selection_cli_notify_1:
        CommandLine|contains: '/SetNotifyCmdLine'
    selection_cli_notify_2:
        CommandLine|contains:
            - '%COMSPEC%'
            - 'cmd.exe'
            - 'regsvr32.exe'
    selection_cli_add_1:
        CommandLine|contains: '/Addfile'
    selection_cli_add_2:
        CommandLine|contains:
            - 'http:'
            - 'https:'
            - 'ftp:'
            - 'ftps:'
    condition: selection_img and (all of selection_cli_notify_* or all of selection_cli_add_*)
falsepositives:
    - Unknown
level: medium

low

New BITS Job Created Via Bitsadmin

Detects the creation of a new bits job by Bitsadmin

status test author frack113 id 1ff315dc-2a3a-4b71-8dde-873818d25d39

view Sigma YAML

title: New BITS Job Created Via Bitsadmin
id: 1ff315dc-2a3a-4b71-8dde-873818d25d39
status: test
description: Detects the creation of a new bits job by Bitsadmin
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1197/T1197.md
author: frack113
date: 2022-03-01
modified: 2023-03-27
tags:
    - attack.persistence
    - attack.execution
    - attack.stealth
    - attack.t1197
logsource:
    product: windows
    service: bits-client
detection:
    selection:
        EventID: 3
        processPath|endswith: '\bitsadmin.exe'
    condition: selection
falsepositives:
    - Many legitimate applications or scripts could leverage "bitsadmin". This event is best correlated with EID 16403 via the JobID field
level: low

low

New BITS Job Created Via PowerShell

Detects the creation of a new bits job by PowerShell

status test author frack113 id fe3a2d49-f255-4d10-935c-bda7391108eb

view Sigma YAML

title: New BITS Job Created Via PowerShell
id: fe3a2d49-f255-4d10-935c-bda7391108eb
status: test
description: Detects the creation of a new bits job by PowerShell
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1197/T1197.md
author: frack113
date: 2022-03-01
modified: 2023-03-27
tags:
    - attack.persistence
    - attack.execution
    - attack.stealth
    - attack.t1197
logsource:
    product: windows
    service: bits-client
detection:
    selection:
        EventID: 3
        processPath|endswith:
            - '\powershell.exe'
            - '\pwsh.exe'
    condition: selection
falsepositives:
    - Administrator PowerShell scripts
level: low

Showing 1-15 of 15

Prev 1 Next

Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities

Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs

Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures

Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1

About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service

threatengine.sh · Open-source threat intelligence platform · 100+ authoritative sources · Every fact traces to its origin