Bitsadmin Activity
| Id | 2a1dc4c2-a8d6-4a0e-8539-9b971c851195 |
| Rulename | Bitsadmin Activity |
| Description | Background Intelligent Transfer Service (BITS) is a way to reliably download files from webservers or SMB servers. This service is commonly used for legitimate purposes, but can also be used as part of a malware downloader. Additionally, bitsadmin can be used to upload files and therefore can be used for data exfiltration. This query will identify use of bitsadmin.exe for either purpose and will identify directionality file transfer directionality. |
| Severity | Medium |
| Tactics | Persistence CommandAndControl Exfiltration |
| Techniques | T1197 T1105 T1048 |
| Required data connectors | MicrosoftThreatProtection |
| Kind | Scheduled |
| Query frequency | 1h |
| Query period | 1h |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Defender XDR/Analytic Rules/Execution/BITSAdminActivity.yaml |
| Version | 1.0.0 |
| Arm template | 2a1dc4c2-a8d6-4a0e-8539-9b971c851195.json |
DeviceProcessEvents
| where
(FileName =~ "bitsadmin.exe" or column_ifexists('ProcessVersionInfoOriginalFileName','ColumnNotAvailable') =~ 'bitsadmin.exe')
and ProcessCommandLine has_any ('/Transfer','/AddFile', '/AddFileSet','/AddFileWithRanges')
| extend
ParsedCommandLine = parse_command_line(ProcessCommandLine,'windows')
| extend
RemoteUrl = tostring(ParsedCommandLine[-2]),
LocalFile= tostring(ParsedCommandLine[-1]),
Direction = iff(ProcessCommandLine has "/Upload", 'Upload', 'Download')
| project-reorder
TimeGenerated,
DeviceId,
DeviceName,
Direction,
RemoteUrl,
LocalFile,
InitiatingProcessFolderPath,
InitiatingProcessAccountDomain,
InitiatingProcessAccountName,
InitiatingProcessSHA256,
ProcessId,
ProcessCommandLine
| extend HostName = iff(DeviceName has '.', substring(DeviceName, 0, indexof(DeviceName, '.')), DeviceName)
| extend DnsDomain = iff(DeviceName has '.', substring(DeviceName, indexof(DeviceName, '.') + 1), "")
id: 2a1dc4c2-a8d6-4a0e-8539-9b971c851195
tactics:
- Persistence
- CommandAndControl
- Exfiltration
queryPeriod: 1h
triggerThreshold: 0
name: Bitsadmin Activity
query: |
DeviceProcessEvents
| where
(FileName =~ "bitsadmin.exe" or column_ifexists('ProcessVersionInfoOriginalFileName','ColumnNotAvailable') =~ 'bitsadmin.exe')
and ProcessCommandLine has_any ('/Transfer','/AddFile', '/AddFileSet','/AddFileWithRanges')
| extend
ParsedCommandLine = parse_command_line(ProcessCommandLine,'windows')
| extend
RemoteUrl = tostring(ParsedCommandLine[-2]),
LocalFile= tostring(ParsedCommandLine[-1]),
Direction = iff(ProcessCommandLine has "/Upload", 'Upload', 'Download')
| project-reorder
TimeGenerated,
DeviceId,
DeviceName,
Direction,
RemoteUrl,
LocalFile,
InitiatingProcessFolderPath,
InitiatingProcessAccountDomain,
InitiatingProcessAccountName,
InitiatingProcessSHA256,
ProcessId,
ProcessCommandLine
| extend HostName = iff(DeviceName has '.', substring(DeviceName, 0, indexof(DeviceName, '.')), DeviceName)
| extend DnsDomain = iff(DeviceName has '.', substring(DeviceName, indexof(DeviceName, '.') + 1), "")
severity: Medium
triggerOperator: gt
kind: Scheduled
relevantTechniques:
- T1197
- T1105
- T1048
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Defender XDR/Analytic Rules/Execution/BITSAdminActivity.yaml
queryFrequency: 1h
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceProcessEvents
description: |
Background Intelligent Transfer Service (BITS) is a way to reliably download files from webservers or SMB servers.
This service is commonly used for legitimate purposes, but can also be used as part of a malware downloader.
Additionally, bitsadmin can be used to upload files and therefore can be used for data exfiltration. This
query will identify use of bitsadmin.exe for either purpose and will identify directionality file transfer
directionality.
status: Available
version: 1.0.0
entityMappings:
- fieldMappings:
- columnName: DeviceName
identifier: FullName
- columnName: HostName
identifier: HostName
- columnName: DnsDomain
identifier: DnsDomain
entityType: Host
- fieldMappings:
- columnName: ProcessId
identifier: ProcessId
- columnName: ProcessCommandLine
identifier: CommandLine
entityType: Process
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"apiVersion": "2024-01-01-preview",
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/2a1dc4c2-a8d6-4a0e-8539-9b971c851195')]",
"kind": "Scheduled",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/2a1dc4c2-a8d6-4a0e-8539-9b971c851195')]",
"properties": {
"alertRuleTemplateName": "2a1dc4c2-a8d6-4a0e-8539-9b971c851195",
"customDetails": null,
"description": "Background Intelligent Transfer Service (BITS) is a way to reliably download files from webservers or SMB servers. \nThis service is commonly used for legitimate purposes, but can also be used as part of a malware downloader. \nAdditionally, bitsadmin can be used to upload files and therefore can be used for data exfiltration. This\nquery will identify use of bitsadmin.exe for either purpose and will identify directionality file transfer\ndirectionality.\n",
"displayName": "Bitsadmin Activity",
"enabled": true,
"entityMappings": [
{
"entityType": "Host",
"fieldMappings": [
{
"columnName": "DeviceName",
"identifier": "FullName"
},
{
"columnName": "HostName",
"identifier": "HostName"
},
{
"columnName": "DnsDomain",
"identifier": "DnsDomain"
}
]
},
{
"entityType": "Process",
"fieldMappings": [
{
"columnName": "ProcessId",
"identifier": "ProcessId"
},
{
"columnName": "ProcessCommandLine",
"identifier": "CommandLine"
}
]
}
],
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Defender XDR/Analytic Rules/Execution/BITSAdminActivity.yaml",
"query": "DeviceProcessEvents\n| where \n (FileName =~ \"bitsadmin.exe\" or column_ifexists('ProcessVersionInfoOriginalFileName','ColumnNotAvailable') =~ 'bitsadmin.exe')\n and ProcessCommandLine has_any ('/Transfer','/AddFile', '/AddFileSet','/AddFileWithRanges')\n| extend \n ParsedCommandLine = parse_command_line(ProcessCommandLine,'windows')\n| extend \n RemoteUrl = tostring(ParsedCommandLine[-2]),\n LocalFile= tostring(ParsedCommandLine[-1]),\n Direction = iff(ProcessCommandLine has \"/Upload\", 'Upload', 'Download')\n| project-reorder \n TimeGenerated,\n DeviceId,\n DeviceName,\n Direction,\n RemoteUrl,\n LocalFile,\n InitiatingProcessFolderPath,\n InitiatingProcessAccountDomain,\n InitiatingProcessAccountName,\n InitiatingProcessSHA256,\n ProcessId,\n ProcessCommandLine\n| extend HostName = iff(DeviceName has '.', substring(DeviceName, 0, indexof(DeviceName, '.')), DeviceName)\n| extend DnsDomain = iff(DeviceName has '.', substring(DeviceName, indexof(DeviceName, '.') + 1), \"\")\n",
"queryFrequency": "PT1H",
"queryPeriod": "PT1H",
"severity": "Medium",
"status": "Available",
"subTechniques": [],
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"tactics": [
"CommandAndControl",
"Exfiltration",
"Persistence"
],
"techniques": [
"T1048",
"T1105",
"T1197"
],
"templateVersion": "1.0.0",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0
},
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
}
]
}