cscli scenarios install sigmahq/proc_creation_win_bitsadmin_download_susp_targetfolder1type: trigger2name: sigmahq/proc_creation_win_bitsadmin_download_susp_targetfolder3description: |4 Detects usage of bitsadmin downloading a file to a suspicious target folder5filter: |6 (evt.Meta.service == 'sysmon' && evt.Parsed.EventID == '1') && ((evt.Parsed.Image endsWith '\\bitsadmin.exe' || evt.Parsed.OriginalFileName == 'bitsadmin.exe') && (evt.Parsed.CommandLine contains ' /transfer ' || evt.Parsed.CommandLine contains ' /create ' || evt.Parsed.CommandLine contains ' /addfile ') && (evt.Parsed.CommandLine contains ':\\Perflogs' || evt.Parsed.CommandLine contains ':\\ProgramData\\' || evt.Parsed.CommandLine contains ':\\Temp\\' || evt.Parsed.CommandLine contains ':\\Users\\Public\\' || evt.Parsed.CommandLine contains ':\\Windows\\' || evt.Parsed.CommandLine contains '\\AppData\\Local\\Temp\\' || evt.Parsed.CommandLine contains '\\AppData\\Roaming\\' || evt.Parsed.CommandLine contains '\\Desktop\\' || evt.Parsed.CommandLine contains '%ProgramData%' || evt.Parsed.CommandLine contains '%public%'))7blackhole: 2m8#status: test9labels:10 service: windows11 confidence: 112 spoofable: 013 classification:14 - attack.t119715 - attack.t1036.0031617 label: "File Download Via Bitsadmin To A Suspicious Target Folder"18 behavior : "windows:audit"19 remediation: false2021scope:22 type: ParentProcessId23 expression: evt.Parsed.ParentProcessId2425