valitydev/atomic-threat-coverage
14
0
Fork 0
mirror of https://github.com/valitydev/atomic-threat-coverage.git synced 2024-11-06 17:45:23 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
11df6468c4
atomic-threat-coverage/Atomic_Threat_Coverage/Detection_Rules/sysmon_bitsadmin_download.md

4.5 KiB
Raw Blame History

Title Bitsadmin Download
Description Detects usage of bitsadmin downloading a file
ATT&CK Tactic
ATT&CK Technique
Data Needed
Trigger
Severity Level medium
False Positives
  • Some legitimate apps use this, but limited.
Development Status experimental
References
Author Michael Haag
Other Tags
  • attack.s0190
  • attack.s0190

Detection Rules

Sigma rule

title: Bitsadmin Download
status: experimental
description: Detects usage of bitsadmin downloading a file
references:
    - https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin
    - https://isc.sans.edu/diary/22264
tags:
    - attack.defense_evasion
    - attack.persistence
    - attack.t1197
    - attack.s0190
author: Michael Haag
logsource:
    product: windows
    service: sysmon
detection:
    selection:
        EventID: 1
        Image:
            - '*\bitsadmin.exe'
        CommandLine:
            - '/transfer'
    condition: selection
fields:
    - CommandLine
    - ParentCommandLine
falsepositives:
    - Some legitimate apps use this, but limited.
level: medium

Kibana query

(EventID:"1" AND Image.keyword:(*\\\\bitsadmin.exe) AND CommandLine:("\\/transfer"))

X-Pack Watcher

curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_xpack/watcher/watch/Bitsadmin-Download <<EOF\n{\n  "trigger": {\n    "schedule": {\n      "interval": "30m"\n    }\n  },\n  "input": {\n    "search": {\n      "request": {\n        "body": {\n          "size": 0,\n          "query": {\n            "query_string": {\n              "query": "(EventID:\\"1\\" AND Image.keyword:(*\\\\\\\\bitsadmin.exe) AND CommandLine:(\\"\\\\/transfer\\"))",\n              "analyze_wildcard": true\n            }\n          }\n        },\n        "indices": []\n      }\n    }\n  },\n  "condition": {\n    "compare": {\n      "ctx.payload.hits.total": {\n        "not_eq": 0\n      }\n    }\n  },\n  "actions": {\n    "send_email": {\n      "email": {\n        "to": null,\n        "subject": "Sigma Rule \'Bitsadmin Download\'",\n        "body": "Hits:\\n{{#ctx.payload.hits.hits}}Hit on {{_source.@timestamp}}:\\n      CommandLine = {{_source.CommandLine}}\\nParentCommandLine = {{_source.ParentCommandLine}}================================================================================\\n{{/ctx.payload.hits.hits}}",\n        "attachments": {\n          "data.json": {\n            "data": {\n              "format": "json"\n            }\n          }\n        }\n      }\n    }\n  }\n}\nEOF\n

Graylog

(EventID:"1" AND Image:("*\\\\bitsadmin.exe") AND CommandLine:("\\/transfer"))