title: Suspicious Bitstransfer via PowerShell
author: Austin Songer @austinsonger
date: 2021/08/19
description: Detects transferring files from system on a server bitstransfer Powershell
  cmdlets
detection:
  SELECTION_1:
    EventID: 1
  SELECTION_2:
    Image:
    - '*\powershell.exe'
    - '*\powershell_ise.exe'
    - '*\pwsh.exe'
  SELECTION_3:
    CommandLine:
    - '*Get-BitsTransfer*'
    - '*Add-BitsFile*'
  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
falsepositives:
- Unknown
fields:
- ComputerName
- User
- CommandLine
id: cd5c8085-4070-4e22-908d-a5b3342deb74
level: medium
logsource:
  category: process_creation
  product: windows
references:
- https://docs.microsoft.com/en-us/powershell/module/bitstransfer/add-bitsfile?view=windowsserver2019-ps
status: experimental
tags:
- attack.exfiltration
- attack.persistence
- attack.t1197
ruletype: SIGMA