title: Bitsadmin download
status: experimental
description: Detects usage of bitsadmin downloading a file
reference: 
    - https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin
    - https://isc.sans.edu/diary/22264
author: Michael Haag
logsource:
    product: windows
    service: sysmon
detection:
    selection:
        EventID: 1
        Image:
            - '*\bitsadmin.exe'
        CommandLine:
            - '/transfer'
    condition: selection
falsepositives:
    - Some legitimate apps use this, but limited.
level: medium