Adversaries may use Bitsadmin to establish covert command and control channels by connecting to domains with uncommon TLDs, which is a common tactic to evade traditional domain monitoring. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential C2 infrastructure and disrupt adversary operations early.
Detection Rule
title: Bitsadmin to Uncommon TLD
id: 9eb68894-7476-4cd6-8752-23b51f5883a7
status: test
description: Detects Bitsadmin connections to domains with uncommon TLDs
references:
- https://twitter.com/jhencinski/status/1102695118455349248
- https://isc.sans.edu/forums/diary/Investigating+Microsoft+BITS+Activity/23281/
author: Florian Roth (Nextron Systems), Tim Shelton
date: 2019-03-07
modified: 2023-05-17
tags:
- attack.command-and-control
- attack.t1071.001
- attack.defense-evasion
- attack.persistence
- attack.t1197
- attack.s0190
logsource:
category: proxy
detection:
selection:
c-useragent|startswith: 'Microsoft BITS/'
falsepositives:
cs-host|endswith:
- '.com'
- '.net'
- '.org'
- '.scdn.co' # spotify streaming
- '.sfx.ms' # Microsoft domain, example request: https://oneclient.sfx.ms/PreSignInSettings/Prod/2022-08-15-21-xx-xx/PreSignInSettingsConfig.json
condition: selection and not falsepositives
falsepositives:
- Rare programs that use Bitsadmin and update from regional TLDs e.g. .uk or .ca
level: high
imWebSession
| where HttpUserAgent startswith "Microsoft BITS/" and (not((HttpHost endswith ".com" or HttpHost endswith ".net" or HttpHost endswith ".org" or HttpHost endswith ".scdn.co" or HttpHost endswith ".sfx.ms")))Scenario: Scheduled System Maintenance Using Bitsadmin
Description: A legitimate scheduled task uses Bitsadmin to download a system update from a domain with an uncommon TLD (e.g., .test or .dev) as part of a development or staging environment.
Filter/Exclusion: Exclude connections to domains with TLDs in a predefined list of development or testing TLDs (e.g., .test, .dev, .local, .example).
Scenario: Internal Tool Deployment via Bitsadmin
Description: An internal tool or script uses Bitsadmin to deploy configuration files or patches to a domain with an uncommon TLD (e.g., .internal or .private) for internal use.
Filter/Exclusion: Exclude domains that are known to be internal or belong to the organization’s private infrastructure.
Scenario: Third-Party Software Update via Bitsadmin
Description: A third-party software update process uses Bitsadmin to fetch updates from a domain with an uncommon TLD (e.g., .com is common, but .xyz might be used for a niche service).
Filter/Exclusion: Exclude domains that are known to be used by trusted third-party vendors or software update services.
Scenario: Bitsadmin Used for Internal DNS Testing
Description: A network administrator uses Bitsadmin to test DNS resolution or perform internal network diagnostics against a domain with an uncommon TLD (e.g., .lan or .intranet).
Filter/Exclusion: Exclude domains that are part of the organization’s internal DNS setup or testing environments.
Scenario: Legacy Application Using Bitsadmin for Data Sync
Description: A legacy application or service uses Bitsadmin to synchronize data with a legacy system hosted on a domain with an uncommon TLD (e.g., .old or .backup).
*Filter/Ex