LoFP / while the file extensions in question can be suspicious at times. it's best to add filters according to your environment to avoid large amount false positives

Techniques

t1197

Sample rules

BITS Transfer Job Downloading File Potential Suspicious Extension

source: sigma
technicques:
- t1197

Description

Detects new BITS transfer job saving local files with potential suspicious extensions

Detection logic

condition: selection and not 1 of filter_optional_*
filter_optional_generic:
  LocalName|contains: \AppData\
  RemoteName|contains: .com
selection:
  EventID: 16403
  LocalName|endswith:
  - .bat
  - .dll
  - .exe
  - .hta
  - .ps1
  - .psd1
  - .sh
  - .vbe
  - .vbs