NF – POLICY – Bitsadmin tool used to do downloads – BITS 4.0

This alert is triggered when the Bitsadmin tool is used to initiate an HTTP download from an internal network device. Bitsadmin, a command-line tool, is often used to transfer files and can be exploited by malware for data exfiltration or unauthorized downloads.

Categories:

ID Number

5020402

Signature

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"NF - POLICY - Bitsadmin tool used to do downloads - BITS 4.0"; flow:established,to_server; content:"User-Agent|3a 20|Microsoft BITS/7.5|0d 0a|"; http_header; content:!"windowsupdate.com|0d 0a|"; nocase; http_header; content:!"microsoft.com|0d 0a|"; nocase; http_header; reference:url,networkforensic.dk; metadata:08052016; classtype:misc-activity; sid:5020402; rev:3;)

Severity

High

Recommendations/Investigative actions

Determine which internal device is using Bitsadmin and check the device for signs of unauthorized scripting or malicious activity. Restrict or block Bitsadmin usage if it’s not required for legitimate operations