From 4cb3f6421eb5704fe7fe443a3f6b7c93ae8f6310 Mon Sep 17 00:00:00 2001
From: "@" <@>
Date: Sun, 20 Sep 2020 20:25:59 -0500
Subject: [PATCH] T1197

---
 DefenseEvasion.md | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/DefenseEvasion.md b/DefenseEvasion.md
index 7d8db51..f7b3749 100644
--- a/DefenseEvasion.md
+++ b/DefenseEvasion.md
@@ -10,6 +10,12 @@ Reviewing process execution data for T1055.exe, I noted 4 child calc.exe process
 ### T1197 BITS Jobs
 Atomics: [T1197](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1197/T1197.md)
 
+The below query will find and remote content downloads from DesktopImgDownldr or BitsAdmin processes, Start-BitsTransfer cmdlet downloads, and excludes system processes and noise with SrcProcParentName Not In ().
+
+```
+(( TgtProcName In Contains Anycase ("bitsadmin.exe","desktopimgdownldr.exe") AND ( TgtProcCmdLine RegExp "https?:\/\/(www\.)?[-a-zA-Z0-9@:%._\+~#=]{1,256}\.[a-zA-Z0-9()]{1,6}\b([-a-zA-Z0-9()@:%_\+.~#?&//=]*)" OR TgtProcCmdLine ContainsCIS "/setnotifycmdline " ) ) OR ( TgtProcName = "powershell.exe" AND TgtProcCmdLine ContainsCIS "Start-BitsTransfer" ) ) AND SrcProcParentName Not In ("services.exe","smss.exe","wininit.exe")
+```
+
 ### T1548.002 Bypass User Access Control
 Atomics: [T1548.002](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548.002/T1548.002.md)