Persistence via BITS Job Notify Cmdline

  1[metadata]
  2creation_date = "2021/12/04"
  3integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender"]
  4maturity = "production"
  5updated_date = "2025/03/20"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10An adversary can use the Background Intelligent Transfer Service (BITS) SetNotifyCmdLine method to execute a program
 11that runs after a job finishes transferring data or after a job enters a specified state in order to persist on a
 12system.
 13"""
 14from = "now-9m"
 15index = [
 16    "logs-endpoint.events.process-*",
 17    "winlogbeat-*",
 18    "logs-windows.sysmon_operational-*",
 19    "endgame-*",
 20    "logs-sentinel_one_cloud_funnel.*",
 21    "logs-m365_defender.event-*",
 22]
 23language = "eql"
 24license = "Elastic License v2"
 25name = "Persistence via BITS Job Notify Cmdline"
 26note = """## Triage and analysis
 27
 28> **Disclaimer**:
 29> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 30
 31### Investigating Persistence via BITS Job Notify Cmdline
 32
 33Background Intelligent Transfer Service (BITS) is a Windows service that facilitates asynchronous, prioritized, and throttled transfer of files between machines. Adversaries exploit BITS by using the SetNotifyCmdLine method to execute malicious programs post-transfer, achieving persistence. The detection rule identifies suspicious processes initiated by BITS, excluding known legitimate executables, to flag potential abuse.
 34
 35### Possible investigation steps
 36
 37- Review the process details to confirm the parent process is "svchost.exe" with arguments containing "BITS" to ensure the alert is not a false positive.
 38- Examine the process executable path to verify it is not one of the known legitimate executables listed in the exclusion criteria.
 39- Investigate the command line arguments of the suspicious process to identify any potentially malicious or unusual commands being executed.
 40- Check the file hash and signature of the suspicious executable to determine if it is known malware or a legitimate application.
 41- Analyze the network activity associated with the process to identify any suspicious connections or data transfers that may indicate malicious behavior.
 42- Review the system's event logs for any additional context or related events that could provide insight into the persistence mechanism or the adversary's actions.
 43- Assess the affected system for any other signs of compromise or persistence mechanisms that may have been employed by the adversary.
 44
 45### False positive analysis
 46
 47- Legitimate system processes or updates may occasionally trigger the rule if they are not included in the exclusion list. Regularly review and update the exclusion list to include any new legitimate executables that are identified.
 48- Some third-party software may use BITS for legitimate purposes, such as software updates or data synchronization. Identify these applications and consider adding their executables to the exclusion list to prevent false positives.
 49- Scheduled tasks or scripts that utilize BITS for file transfers might be flagged. Verify the legitimacy of these tasks and, if deemed safe, exclude their associated executables from the detection rule.
 50- In environments where custom scripts or administrative tools are used, ensure that these are documented and, if necessary, excluded from the rule to avoid unnecessary alerts.
 51- Monitor the frequency and context of alerts to identify patterns that may indicate benign activity. Use this information to refine the rule and reduce false positives without compromising security.
 52
 53### Response and remediation
 54
 55- Immediately isolate the affected system from the network to prevent further malicious activity and lateral movement.
 56- Terminate any suspicious processes identified as being initiated by BITS that are not part of the known legitimate executables list.
 57- Conduct a thorough review of the BITS job configurations on the affected system to identify and remove any unauthorized or suspicious jobs.
 58- Restore the system from a known good backup if malicious activity is confirmed and system integrity is compromised.
 59- Update and run a full antivirus and anti-malware scan on the affected system to ensure no additional threats are present.
 60- Review and enhance endpoint protection policies to prevent unauthorized use of BITS for persistence, ensuring that only trusted applications can create or modify BITS jobs.
 61- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected."""
 62references = [
 63    "https://pentestlab.blog/2019/10/30/persistence-bits-jobs/",
 64    "https://docs.microsoft.com/en-us/windows/win32/api/bits1_5/nf-bits1_5-ibackgroundcopyjob2-setnotifycmdline",
 65    "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/bitsadmin-setnotifycmdline",
 66    "https://www.elastic.co/blog/hunting-for-persistence-using-elastic-security-part-2",
 67]
 68risk_score = 47
 69rule_id = "c3b915e0-22f3-4bf7-991d-b643513c722f"
 70severity = "medium"
 71tags = [
 72    "Domain: Endpoint",
 73    "OS: Windows",
 74    "Use Case: Threat Detection",
 75    "Tactic: Persistence",
 76    "Data Source: Elastic Endgame",
 77    "Data Source: Elastic Defend",
 78    "Data Source: Sysmon",
 79    "Data Source: SentinelOne",
 80    "Data Source: Microsoft Defender for Endpoint",
 81    "Resources: Investigation Guide",
 82]
 83timestamp_override = "event.ingested"
 84type = "eql"
 85
 86query = '''
 87process where host.os.type == "windows" and event.type == "start" and
 88  process.parent.name : "svchost.exe" and process.parent.args : "BITS" and
 89  not process.executable :
 90              ("?:\\Windows\\System32\\WerFaultSecure.exe",
 91               "?:\\Windows\\System32\\WerFault.exe",
 92               "?:\\Windows\\System32\\wermgr.exe",
 93               "?:\\WINDOWS\\system32\\directxdatabaseupdater.exe")
 94'''
 95
 96
 97[[rule.threat]]
 98framework = "MITRE ATT&CK"
 99[[rule.threat.technique]]
100id = "T1197"
101name = "BITS Jobs"
102reference = "https://attack.mitre.org/techniques/T1197/"
103
104
105[rule.threat.tactic]
106id = "TA0003"
107name = "Persistence"
108reference = "https://attack.mitre.org/tactics/TA0003/"