hayabusa/rules/Sigma/win_susp_bitstransfer.yml

title: Suspicious Bitstransfer via PowerShell
author: Austin Songer @austinsonger
date: 2021/08/19
description: Detects transferring files from system on a server bitstransfer Powershell
    cmdlets
detection:
    SELECTION_1:
        EventID: 1
    SELECTION_2:
        Image: '*\powershell.exe'
    SELECTION_3:
        Image: '*\powershell_ise.exe'
    SELECTION_4:
        Image: '*\pwsh.exe'
    SELECTION_5:
        CommandLine: '*Get-BitsTransfer*'
    SELECTION_6:
        CommandLine: '*Add-BitsFile*'
    condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3 or SELECTION_4) and (SELECTION_5
        or SELECTION_6))
falsepositives:
- Unknown
fields:
- ComputerName
- User
- CommandLine
id: cd5c8085-4070-4e22-908d-a5b3342deb74
level: medium
logsource:
    category: process_creation
    product: windows
references:
- https://docs.microsoft.com/en-us/powershell/module/bitstransfer/add-bitsfile?view=windowsserver2019-ps
status: experimental
tags:
- attack.exfiltration
- attack.persistence
- attack.t1197
yml_filename: win_susp_bitstransfer.yml
yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation