Suspicious Bitsadmin Job via bitsadmin.exe

Detect download of BITS jobs via bitsadmin.exe.

id:ef9fe5c0-b16f-4384-bb61-95977799a84c categories:detect confidence:medium os:windows created:11/30/2018 updated:11/30/2018

MITRE ATT&CK™ Mapping

tactics:Defense Evasion, Persistence techniques:T1197 BITS Jobs

Query

process where subtype.create
  and process_name == "bitsadmin.exe"
  and wildcard(command_line, "* /download *", "*transfer*")

Detonation

Atomic Red Team: T1197

Contributors

• Endgame