Bitsadmin Activity

DeviceProcessEvents
| where 
    (FileName =~ "bitsadmin.exe" or column_ifexists('ProcessVersionInfoOriginalFileName','ColumnNotAvailable') =~ 'bitsadmin.exe')
    and ProcessCommandLine has_any ('/Transfer','/AddFile', '/AddFileSet','/AddFileWithRanges')
| extend 
    ParsedCommandLine = parse_command_line(ProcessCommandLine,'windows')
| extend     
    RemoteUrl = tostring(ParsedCommandLine[-2]),
    LocalFile= tostring(ParsedCommandLine[-1]),
    Direction = iff(ProcessCommandLine has "/Upload", 'Upload', 'Download')
| project-reorder 
    TimeGenerated,
    DeviceId,
    DeviceName,
    Direction,
    RemoteUrl,
    LocalFile,
    InitiatingProcessFolderPath,
    InitiatingProcessAccountDomain,
    InitiatingProcessAccountName,
    InitiatingProcessSHA256,
    ProcessId,
    ProcessCommandLine
| extend HostName = iff(DeviceName has '.', substring(DeviceName, 0, indexof(DeviceName, '.')), DeviceName)
| extend DnsDomain = iff(DeviceName has '.', substring(DeviceName, indexof(DeviceName, '.') + 1), "")

relevantTechniques:
- T1197
- T1105
- T1048
entityMappings:
- entityType: Host
  fieldMappings:
  - columnName: DeviceName
    identifier: FullName
  - columnName: HostName
    identifier: HostName
  - columnName: DnsDomain
    identifier: DnsDomain
- entityType: Process
  fieldMappings:
  - columnName: ProcessId
    identifier: ProcessId
  - columnName: ProcessCommandLine
    identifier: CommandLine
version: 1.0.0
id: 2a1dc4c2-a8d6-4a0e-8539-9b971c851195
severity: Medium
kind: Scheduled
queryFrequency: 1h
description: |
  Background Intelligent Transfer Service (BITS) is a way to reliably download files from webservers or SMB servers. 
  This service is commonly used for legitimate purposes, but can also be used as part of a malware downloader. 
  Additionally, bitsadmin can be used to upload files and therefore can be used for data exfiltration. This
  query will identify use of bitsadmin.exe for either purpose and will identify directionality file transfer
  directionality.  
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
  dataTypes:
  - DeviceProcessEvents
triggerOperator: gt
name: Bitsadmin Activity
tactics:
- Persistence
- CommandAndControl
- Exfiltration
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Defender XDR/Analytic Rules/Execution/BITSAdminActivity.yaml
triggerThreshold: 0
queryPeriod: 1h
query: |
  DeviceProcessEvents
  | where 
      (FileName =~ "bitsadmin.exe" or column_ifexists('ProcessVersionInfoOriginalFileName','ColumnNotAvailable') =~ 'bitsadmin.exe')
      and ProcessCommandLine has_any ('/Transfer','/AddFile', '/AddFileSet','/AddFileWithRanges')
  | extend 
      ParsedCommandLine = parse_command_line(ProcessCommandLine,'windows')
  | extend     
      RemoteUrl = tostring(ParsedCommandLine[-2]),
      LocalFile= tostring(ParsedCommandLine[-1]),
      Direction = iff(ProcessCommandLine has "/Upload", 'Upload', 'Download')
  | project-reorder 
      TimeGenerated,
      DeviceId,
      DeviceName,
      Direction,
      RemoteUrl,
      LocalFile,
      InitiatingProcessFolderPath,
      InitiatingProcessAccountDomain,
      InitiatingProcessAccountName,
      InitiatingProcessSHA256,
      ProcessId,
      ProcessCommandLine
  | extend HostName = iff(DeviceName has '.', substring(DeviceName, 0, indexof(DeviceName, '.')), DeviceName)
  | extend DnsDomain = iff(DeviceName has '.', substring(DeviceName, indexof(DeviceName, '.') + 1), "")  
status: Available