bitsadmin & VSSAdmin

+Bitsadmin download
+VSSAdmin delete

rules/windows/sysmon/sysmon_bitsadmin_download.yml

@@ -0,0 +1,18 @@
+title: Bitsadmin download
+status: experimental
+description: Detects usage of bitsadmin downloading a file
+reference: https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin
+author: Michael Haag
+logsource:
+    product: sysmon
+detection:
+    selection:
+        EventID: 1
+        Image:
+            - '*\bitsadmin.exe'
+        CommandLine:
+            - '/transfer'
+    condition: selection
+falsepositives:
+    - Some legitimate apps use this, but limited.
+level: medium

rules/windows/sysmon/sysmon_vssadmin_delete.yml

@@ -0,0 +1,18 @@
+title: vssadmin delete shadow copies
+status: experimental
+description: Detects malicious usage of vssadmin deleting volume shadows
+reference: https://securingtomorrow.mcafee.com/mcafee-labs/new-teslacrypt-ransomware-arrives-via-spam/
+author: Michael Haag
+logsource:
+    product: sysmon
+detection:
+    selection:
+        EventID: 1
+        Image:
+            - '*\vssadmin.exe'
+        CommandLine:
+            - 'Delete Shadows /All /Quiet'
+    condition: selection
+falsepositives:
+    - Some legitimate apps use this, but limited.
+level: medium