Suspicious Bitsadmin Job via bitsadmin.exe¶

Detect download of BITS jobs via bitsadmin.exe.

id:	ef9fe5c0-b16f-4384-bb61-95977799a84c
categories:	detect
confidence:	medium
os:	windows
created:	11/30/2018
updated:	11/30/2018

MITRE ATT&CK™ Mapping¶

tactics:	Defense Evasion, Persistence
techniques:	T1197 BITS Jobs

Query¶

process where subtype.create
  and process_name == "bitsadmin.exe"
  and wildcard(command_line, "* /download *", "*transfer*")

Detonation¶

Atomic Red Team: T1197

Contributors¶

Endgame

Read the Docs v: latest

Versions: latest

Downloads: pdf; html; epub

On Read the Docs: Project Home; Builds

Free document hosting provided by Read the Docs.