detection.wiki

Detection rules › Sigma

Suspicious Download From File-Sharing Website Via Bitsadmin

Status
test
Severity
high
Log source
product windows, category process_creation
Author
Florian Roth (Nextron Systems)
Source
github.com/SigmaHQ/sigma

Detects usage of bitsadmin downloading a file from a suspicious domain

MITRE ATT&CK coverage

TacticTechniques
ExecutionT1197 BITS Jobs
PersistenceT1197 BITS Jobs
StealthT1036.003 Masquerading: Rename Legitimate Utilities, T1197 BITS Jobs
Command & ControlT1105 Ingress Tool Transfer

Event coverage

ProviderEventTitle
SysmonEvent ID 1Process creation

Rule body yaml

title: Suspicious Download From File-Sharing Website Via Bitsadmin
id: 8518ed3d-f7c9-4601-a26c-f361a4256a0c
status: test
description: Detects usage of bitsadmin downloading a file from a suspicious domain
references:
    - https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin
    - https://isc.sans.edu/diary/22264
    - https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/
    - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker
    - https://www.cisa.gov/uscert/ncas/alerts/aa22-321a
    - https://www.microsoft.com/en-us/security/blog/2024/01/17/new-ttps-observed-in-mint-sandstorm-campaign-targeting-high-profile-individuals-at-universities-and-research-orgs/
author: Florian Roth (Nextron Systems)
date: 2022-06-28
modified: 2025-12-10
tags:
    - attack.persistence
    - attack.execution
    - attack.stealth
    - attack.t1197
    - attack.s0190
    - attack.t1036.003
    - attack.command-and-control
    - attack.t1105
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\bitsadmin.exe'
        - OriginalFileName: 'bitsadmin.exe'
    selection_flags:
        CommandLine|contains:
            - ' /transfer '
            - ' /create '
            - ' /addfile '
    selection_domain:
        CommandLine|contains:
            - '.githubusercontent.com'       # Includes both gists and github repositories / Michael Haag (idea)
            - 'anonfiles.com'
            - 'cdn.discordapp.com'
            - 'ddns.net'
            - 'dl.dropboxusercontent.com'
            - 'ghostbin.co'
            - 'github.com' # bitsadmin /transfer n https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1047/bin/calc.dll %PUBLIC%\calc.dll
            - 'glitch.me'
            - 'gofile.io'
            - 'hastebin.com'
            - 'mediafire.com'
            - 'mega.nz'
            - 'onrender.com'
            - 'pages.dev'
            - 'paste.ee'
            - 'pastebin.com'
            - 'pastebin.pl'
            - 'pastetext.net'
            - 'privatlab.com'
            - 'privatlab.net'
            - 'send.exploit.in'
            - 'sendspace.com'
            - 'storage.googleapis.com'
            - 'storjshare.io'
            - 'supabase.co'
            - 'temp.sh'
            - 'transfer.sh'
            - 'trycloudflare.com'
            - 'ufile.io'
            - 'w3spaces.com'
            - 'workers.dev'
    condition: all of selection_*
falsepositives:
    - Some legitimate apps use this, but limited.
level: high
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_bitsadmin_download_file_sharing_domains/info.yml
simulation:
    - type: atomic-red-team
      name: Windows - BITSAdmin BITS Download
      technique: T1105
      atomic_guid: a1921cd3-9a2d-47d5-a891-f1d0f2a7a31b

Stages and Predicates

Stage 0: condition

all of selection_*

Stage 1: selection_img

selection_img:
    - Image|endswith: '\bitsadmin.exe'
    - OriginalFileName: 'bitsadmin.exe'

Stage 2: selection_flags

selection_flags:
    CommandLine|contains:
        - ' /transfer '
        - ' /create '
        - ' /addfile '

Stage 3: selection_domain

selection_domain:
    CommandLine|contains:
        - '.githubusercontent.com'
        - 'anonfiles.com'
        - 'cdn.discordapp.com'
        - 'ddns.net'
        - 'dl.dropboxusercontent.com'
        - 'ghostbin.co'
        - 'github.com'
        - 'glitch.me'
        - 'gofile.io'
        - 'hastebin.com'
        - 'mediafire.com'
        - 'mega.nz'
        - 'onrender.com'
        - 'pages.dev'
        - 'paste.ee'
        - 'pastebin.com'
        - 'pastebin.pl'
        - 'pastetext.net'
        - 'privatlab.com'
        - 'privatlab.net'
        - 'send.exploit.in'
        - 'sendspace.com'
        - 'storage.googleapis.com'
        - 'storjshare.io'
        - 'supabase.co'
        - 'temp.sh'
        - 'transfer.sh'
        - 'trycloudflare.com'
        - 'ufile.io'
        - 'w3spaces.com'
        - 'workers.dev'

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

FieldKindValues
CommandLinematch
  • /addfile corpus 5 (sigma 5)
  • /create corpus 15 (sigma 15)
  • /transfer corpus 5 (sigma 5)
  • .githubusercontent.com corpus 5 (sigma 4, chronicle 1)
  • anonfiles.com corpus 6 (sigma 5, chronicle 1)
  • cdn.discordapp.com corpus 6 (sigma 5, chronicle 1)
  • ddns.net corpus 6 (sigma 5, chronicle 1)
  • dl.dropboxusercontent.com corpus 6 (sigma 5, chronicle 1)
  • ghostbin.co corpus 6 (sigma 5, chronicle 1)
  • github.com corpus 4 (sigma 4)
  • glitch.me corpus 6 (sigma 5, chronicle 1)
  • gofile.io corpus 6 (sigma 5, chronicle 1)
  • hastebin.com corpus 6 (sigma 5, chronicle 1)
  • mediafire.com corpus 6 (sigma 5, chronicle 1)
  • mega.nz corpus 6 (sigma 5, chronicle 1)
  • onrender.com corpus 6 (sigma 5, chronicle 1)
  • pages.dev corpus 6 (sigma 5, chronicle 1)
  • paste.ee corpus 6 (sigma 5, chronicle 1)
  • pastebin.com corpus 6 (sigma 5, chronicle 1)
  • pastebin.pl corpus 6 (sigma 5, chronicle 1)
  • pastetext.net corpus 6 (sigma 5, chronicle 1)
  • privatlab.com corpus 6 (sigma 5, chronicle 1)
  • privatlab.net corpus 6 (sigma 5, chronicle 1)
  • send.exploit.in corpus 6 (sigma 5, chronicle 1)
  • sendspace.com corpus 6 (sigma 5, chronicle 1)
  • storage.googleapis.com corpus 6 (sigma 5, chronicle 1)
  • storjshare.io corpus 6 (sigma 5, chronicle 1)
  • supabase.co corpus 6 (sigma 5, chronicle 1)
  • temp.sh corpus 6 (sigma 5, chronicle 1)
  • transfer.sh corpus 6 (sigma 5, chronicle 1)
  • trycloudflare.com corpus 6 (sigma 5, chronicle 1)
  • ufile.io corpus 6 (sigma 5, chronicle 1)
  • w3spaces.com corpus 6 (sigma 5, chronicle 1)
  • workers.dev corpus 6 (sigma 5, chronicle 1)
Imageends_with
  • \bitsadmin.exe corpus 29 (sigma 29)
OriginalFileNameeq
  • bitsadmin.exe corpus 12 (sigma 9, splunk 2, kusto 1)