Adversaries may use Bitsadmin to establish covert connections to uncommon IP addresses to exfiltrate data or establish command and control. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential lateral movement or C2 activity that bypasses traditional DNS-based detection mechanisms.
Detection Rule
title: Bitsadmin to Uncommon IP Server Address
id: 8ccd35a2-1c7c-468b-b568-ac6cdf80eec3
status: test
description: Detects Bitsadmin connections to IP addresses instead of FQDN names
references:
- https://isc.sans.edu/diary/Microsoft+BITS+Used+to+Download+Payloads/21027
author: Florian Roth (Nextron Systems)
date: 2022-06-10
modified: 2022-08-24
tags:
- attack.command-and-control
- attack.t1071.001
- attack.defense-evasion
- attack.persistence
- attack.t1197
- attack.s0190
logsource:
category: proxy
detection:
selection:
c-useragent|startswith: 'Microsoft BITS/'
cs-host|endswith:
- '1'
- '2'
- '3'
- '4'
- '5'
- '6'
- '7'
- '8'
- '9'
condition: selection
falsepositives:
- Unknown
level: high
imWebSession
| where HttpUserAgent startswith "Microsoft BITS/" and (HttpHost endswith "1" or HttpHost endswith "2" or HttpHost endswith "3" or HttpHost endswith "4" or HttpHost endswith "5" or HttpHost endswith "6" or HttpHost endswith "7" or HttpHost endswith "8" or HttpHost endswith "9")Scenario: A system administrator uses Bitsadmin to download a Windows update package from an internal IP address as part of a scheduled maintenance task.
Filter/Exclusion: Exclude connections to IP addresses within the internal network range (e.g., 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) or specific IPs used for internal update servers.
Scenario: A Windows Server Backup job uses Bitsadmin to transfer backup data to a remote storage server with a static IP address.
Filter/Exclusion: Exclude IPs associated with known internal backup servers or use a custom field to identify legitimate backup-related IPs.
Scenario: A System Center Configuration Manager (SCCM) client uses Bitsadmin to communicate with a distribution point that has an IP address assigned instead of a FQDN.
Filter/Exclusion: Exclude IPs that are known to be used by SCCM distribution points or use a custom field to identify SCCM-related traffic.
Scenario: A PowerShell script runs via Task Scheduler and uses Bitsadmin to fetch a configuration file from an internal IP address for automation purposes.
Filter/Exclusion: Exclude IPs that are known to be used by internal automation tools or filter based on the originating process name (e.g., powershell.exe).
Scenario: A remote desktop session uses Bitsadmin to transfer files between two internal systems, where the destination IP is not resolved to a FQDN.
Filter/Exclusion: Exclude IPs that are part of the internal network or filter based on the source and destination IP ranges used for internal communication.