LoFP / rare programs that use bitsadmin and update from regional tlds e.g. .uk or .ca

Techniques

Sample rules

Bitsadmin to Uncommon TLD

source: sigma
technicques:
- t1071
- t1071.001
- t1197

Description

Detects Bitsadmin connections to domains with uncommon TLDs

Detection logic

condition: selection and not falsepositives
falsepositives:
  cs-host|endswith:
  - .com
  - .net
  - .org
  - .scdn.co
  - .sfx.ms
selection:
  c-useragent|startswith: Microsoft BITS/