NF – POLICY – Bitsadmin tool used to do downloads – BITS 4.0
This alert is triggered when the Bitsadmin tool is used to initiate an HTTP download from an internal network device. Bitsadmin, a command-line tool, is often used to transfer files and can be exploited by malware for data exfiltration or unauthorized downloads.
Signature
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"NF - POLICY - Bitsadmin tool used to do downloads - BITS 4.0"; flow:established,to_server; content:"User-Agent|3a 20|Microsoft BITS/7.5|0d 0a|"; http_header; content:!"windowsupdate.com|0d 0a|"; nocase; http_header; content:!"microsoft.com|0d 0a|"; nocase; http_header; reference:url,networkforensic.dk; metadata:08052016; classtype:misc-activity; sid:5020402; rev:3;)
Recommendations/Investigative actions
Determine which internal device is using Bitsadmin and check the device for signs of unauthorized scripting or malicious activity.
Restrict or block Bitsadmin usage if it’s not required for legitimate operations
Relations to other alerts