Suspicious Bitsadmin Job via bitsadmin.exe

Detect download of BITS jobs via bitsadmin.exe.

id:ef9fe5c0-b16f-4384-bb61-95977799a84c
categories:detect
confidence:medium
os:windows
created:11/30/2018
updated:11/30/2018

MITRE ATT&CK™ Mapping

tactics:Defense Evasion, Persistence
techniques:T1197 BITS Jobs

Query

process where subtype.create and
  process_name == "bitsadmin.exe" and command_line == "* /download *"

Contributors