Suspicious Bitsadmin Job via PowerShell¶

Detect download of BITS jobs via PowerShell.

id:	ec5180c9-721a-460f-bddc-27539a284273
categories:	detect
confidence:	medium
os:	windows
created:	11/30/2018
updated:	11/30/2018

MITRE ATT&CK™ Mapping¶

tactics:	Defense Evasion, Persistence
techniques:	T1197 BITS Jobs

Query¶

process where subtype.create and
  process_name == "powershell.exe" and command_line == "*Start-BitsTransfer*"

Detonation¶

Atomic Red Team: T1197

Contributors¶

Endgame

Read the Docs v: latest

Versions: latest

Downloads: pdf; html; epub

On Read the Docs: Project Home; Builds

Free document hosting provided by Read the Docs.