title: Bitsadmin to Uncommon IP Server Address
id: 8ccd35a2-1c7c-468b-b568-ac6cdf80eec3
status: experimental
description: Detects Bitsadmin connections to IP addresses instead of FQDN names
author: Florian Roth
date: 2022/06/10
logsource:
    category: proxy
detection:
    selection:
        c-useragent|startswith: 'Microsoft BITS/'
        cs-host|startswith: 
            - '1'
            - '2'
            - '3'
            - '4'
            - '5'
            - '6'
            - '7'
            - '8'
            - '9'
    condition: selection
falsepositives:
    - Unknown
level: high
tags:
    - attack.command_and_control
    - attack.t1071.001
    - attack.defense_evasion
    - attack.persistence
    - attack.t1197
    - attack.s0190