Suspicious Bitsadmin Job via PowerShell¶
Detect download of BITS jobs via PowerShell.
| id: | ec5180c9-721a-460f-bddc-27539a284273 |
|---|---|
| categories: | detect |
| confidence: | medium |
| os: | windows |
| created: | 11/30/2018 |
| updated: | 11/30/2018 |
MITRE ATT&CK™ Mapping¶
| tactics: | Defense Evasion, Persistence |
|---|---|
| techniques: | T1197 BITS Jobs |
Query¶
process where subtype.create and
process_name == "powershell.exe" and command_line == "*Start-BitsTransfer*"