LoFP
/
t1197
t1197
Title
Tags
administrator powershell scripts
t1078
t1197
windows
sigma
limited false positives will be present. typically, applications will use `bitsadmin.exe`. any filtering should be done based on command-line arguments (legitimate applications) or parent process.
t1197
endpoint
splunk
limited false positives, however it may be required to filter based on parent process name or network connection.
t1105
t1197
endpoint
splunk
limited false positives. it is possible administrators will utilize start-bitstransfer for administrative tasks, otherwise filter based parent process or command-line arguments.
t1197
endpoint
splunk
many legitimate applications or scripts could leverage \"bitsadmin\". this event is best correlated with eid 16403 via the jobid field
t1197
windows
sigma
rare programs that use bitsadmin and update from regional tlds e.g. .uk or .ca
t1071
t1071.001
t1197
sigma
some legitimate apps use this, but limited.
t1036
t1036.003
t1197
windows
sigma
this rule doesn't exclude other known tlds such as \".org\" or \".net\". it's recommended to apply additional filters for software and scripts that leverage the bits service
t1197
windows
sigma
while the file extensions in question can be suspicious at times. it's best to add filters according to your environment to avoid large amount false positives
t1197
windows
sigma
LoFP
/
t1197