Ingress Transfer via Windows BITS
Identifies downloads of executable and archive files via the Windows Background Intelligent Transfer Service (BITS). Adversaries could leverage Windows BITS transfer jobs to download remote payloads.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2023/01/13"
3integration = ["endpoint"]
4maturity = "production"
5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
6min_stack_version = "8.3.0"
7updated_date = "2023/10/22"
8
9[rule]
10author = ["Elastic"]
11description = """
12Identifies downloads of executable and archive files via the Windows Background Intelligent Transfer Service (BITS).
13Adversaries could leverage Windows BITS transfer jobs to download remote payloads.
14"""
15from = "now-9m"
16index = ["logs-endpoint.events.*"]
17language = "eql"
18license = "Elastic License v2"
19name = "Ingress Transfer via Windows BITS"
20references = ["https://attack.mitre.org/techniques/T1197/"]
21risk_score = 21
22rule_id = "f95972d3-c23b-463b-89a8-796b3f369b49"
23severity = "low"
24tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Command and Control", "Data Source: Elastic Defend"]
25timestamp_override = "event.ingested"
26type = "eql"
27
28query = '''
29file where host.os.type == "windows" and event.action == "rename" and
30 process.name : "svchost.exe" and file.Ext.original.name : "BIT*.tmp" and
31 (file.extension : ("exe", "zip", "rar", "bat", "dll", "ps1", "vbs", "wsh", "js", "vbe", "pif", "scr", "cmd", "cpl") or
32 file.Ext.header_bytes : "4d5a*") and
33
34 /* noisy paths, for hunting purposes you can use the same query without the following exclusions */
35 not file.path : ("?:\\Program Files\\*", "?:\\Program Files (x86)\\*", "?:\\Windows\\*", "?:\\ProgramData\\*\\*") and
36
37 /* lot of third party SW use BITS to download executables with a long file name */
38 not length(file.name) > 30 and
39 not file.path : (
40 "?:\\Users\\*\\AppData\\Local\\Temp*\\wct*.tmp",
41 "?:\\Users\\*\\AppData\\Local\\Adobe\\ARM\\*\\RdrServicesUpdater*.exe",
42 "?:\\Users\\*\\AppData\\Local\\Docker Desktop Installer\\update-*.exe"
43 )
44'''
45
46
47[[rule.threat]]
48framework = "MITRE ATT&CK"
49[[rule.threat.technique]]
50id = "T1105"
51name = "Ingress Tool Transfer"
52reference = "https://attack.mitre.org/techniques/T1105/"
53
54
55[rule.threat.tactic]
56id = "TA0011"
57name = "Command and Control"
58reference = "https://attack.mitre.org/tactics/TA0011/"
59
60
61[[rule.threat]]
62framework = "MITRE ATT&CK"
63[[rule.threat.technique]]
64id = "T1197"
65name = "BITS Jobs"
66reference = "https://attack.mitre.org/techniques/T1197/"
67
68
69[rule.threat.tactic]
70id = "TA0005"
71name = "Defense Evasion"
72reference = "https://attack.mitre.org/tactics/TA0005/"
References
-
G0087 APT39 APT39 has used the BITS protocol to exfiltrate stolen data from a compromised host.[8] G0096 APT41 APT41 used BITSAdmin to download and install payloads.[9][10] S0534 Bazar Bazar has be...
Read More
Related rules
- Potential File Transfer via Certreq
- Unusual Network Connection via RunDLL32
- Remote File Download via PowerShell
- Connection to Commonly Abused Web Services
- Potential DNS Tunneling via NsLookup