Suspicious Bitsadmin Job via bitsadmin.exe¶
Detect download of BITS jobs via bitsadmin.exe.
id: | ef9fe5c0-b16f-4384-bb61-95977799a84c |
---|---|
categories: | detect |
confidence: | medium |
os: | windows |
created: | 11/30/2018 |
updated: | 11/30/2018 |
MITRE ATT&CK™ Mapping¶
tactics: | Defense Evasion, Persistence |
---|---|
techniques: | T1197 BITS Jobs |
Query¶
process where subtype.create
and process_name == "bitsadmin.exe"
and wildcard(command_line, "* /download *", "*transfer*")