many legitimate applications or scripts could leverage \"bitsadmin\". this event is best correlated with eid 16403 via the jobid field

source: <a href=https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/bits_client/win_bits_client_new_job_via_bitsadmin.yml>sigma
technicques: t1197

Techniques

Detects the creation of a new bits job by Bitsadmin

condition: selection
selection:
  EventID: 3
  processPath|endswith: \bitsadmin.exe