Suspicious Download From File-Sharing Website Via Bitsadmin

Image

'\bitsadmin.exe'

OriginalFilename

'bitsadmin.exe'

CommandLine

' /transfer '

' /create '

' /addfile '

'.githubusercontent.com'

'anonfiles.com'

'cdn.discordapp.com'

'ddns.net'

'dl.dropboxusercontent.com'

'ghostbin.co'

'glitch.me'

'gofile.io'

'hastebin.com'

'mediafire.com'

'mega.nz'

'onrender.com'

'pages.dev'

'paste.ee'

'pastebin.com'

'pastebin.pl'

'pastetext.net'

'privatlab.com'

'privatlab.net'

'send.exploit.in'

'sendspace.com'

'storage.googleapis.com'

'storjshare.io'

'supabase.co'

'temp.sh'

'transfer.sh'

'trycloudflare.com'

'ufile.io'

'w3spaces.com'

'workers.dev'

Detection Query 1

((((ResourceName = "Sysmon" AND eventtype = "1") AND image = "\bitsadmin.exe") AND originalfilename = "bitsadmin.exe") AND commandline in ("//transfer","//create","//addfile",".githubusercontent.com","anonfiles.com","cdn.discordapp.com","ddns.net","dl.dropboxusercontent.com","ghostbin.co","glitch.me","gofile.io","hastebin.com","mediafire.com","mega.nz","onrender.com","pages.dev","paste.ee","pastebin.com","pastebin.pl","pastetext.net","privatlab.com","privatlab.net","send.exploit.in","sendspace.com","storage.googleapis.com","storjshare.io","supabase.co","temp.sh","transfer.sh","trycloudflare.com","ufile.io","w3spaces.com","workers.dev"))

Detection Query 2

((((Technologygroup = "EDR" ) AND image = "\bitsadmin.exe") AND originalfilename = "bitsadmin.exe") AND commandline in ("//transfer","//create","//addfile",".githubusercontent.com","anonfiles.com","cdn.discordapp.com","ddns.net","dl.dropboxusercontent.com","ghostbin.co","glitch.me","gofile.io","hastebin.com","mediafire.com","mega.nz","onrender.com","pages.dev","paste.ee","pastebin.com","pastebin.pl","pastetext.net","privatlab.com","privatlab.net","send.exploit.in","sendspace.com","storage.googleapis.com","storjshare.io","supabase.co","temp.sh","transfer.sh","trycloudflare.com","ufile.io","w3spaces.com","workers.dev"))