this rule doesn't exclude other known tlds such as \".org\" or \".net\". it's recommended to apply additional filters for software and scripts that leverage the bits service

t1197
windows
sigma

Techniques

t1197

Sample rules

BITS Transfer Job With Uncommon Or Suspicious Remote TLD

source: sigma
technicques:
- t1197

Description

Detects a suspicious download using the BITS client from a FQDN that is unusual. Adversaries may abuse BITS jobs to persistently execute or clean up after malicious payloads.

Detection logic

condition: selection and not 1 of filter_main_*
filter_main_generic:
  RemoteName|contains:
  - .azureedge.net/
  - .com/
  - .sfx.ms/
  - download.mozilla.org/
selection:
  EventID: 16403