BITS Transfer Job Download From Direct IP

 1title: BITS Transfer Job Download From Direct IP
 2id: 90f138c1-f578-4ac3-8c49-eecfd847c8b7
 3related:
 4    - id: 99c840f2-2012-46fd-9141-c761987550ef
 5      type: similar
 6status: test
 7description: Detects a BITS transfer job downloading file(s) from a direct IP address.
 8references:
 9    - https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin
10    - https://isc.sans.edu/diary/22264
11    - https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/
12    - https://blog.talosintelligence.com/breaking-the-silence-recent-truebot-activity/
13author: Nasreddine Bencherchali (Nextron Systems)
14date: 2023-01-11
15modified: 2023-03-27
16tags:
17    - attack.defense-evasion
18    - attack.persistence
19    - attack.t1197
20logsource:
21    product: windows
22    service: bits-client
23detection:
24    selection:
25        EventID: 16403
26        RemoteName|contains:
27            - 'http://1'
28            - 'http://2'
29            - 'http://3'
30            - 'http://4'
31            - 'http://5'
32            - 'http://6'
33            - 'http://7'
34            - 'http://8'
35            - 'http://9'
36            - 'https://1'
37            - 'https://2'
38            - 'https://3'
39            - 'https://4'
40            - 'https://5'
41            - 'https://6'
42            - 'https://7'
43            - 'https://8'
44            - 'https://9'
45    filter_optional_local_networks:
46        RemoteName|contains:
47            - '://10.' # 10.0.0.0/8
48            - '://192.168.' # 192.168.0.0/16
49            - '://172.16.' # 172.16.0.0/12
50            - '://172.17.'
51            - '://172.18.'
52            - '://172.19.'
53            - '://172.20.'
54            - '://172.21.'
55            - '://172.22.'
56            - '://172.23.'
57            - '://172.24.'
58            - '://172.25.'
59            - '://172.26.'
60            - '://172.27.'
61            - '://172.28.'
62            - '://172.29.'
63            - '://172.30.'
64            - '://172.31.'
65            - '://127.' # 127.0.0.0/8
66            - '://169.254.' # 169.254.0.0/16
67    filter_optional_seven_zip:
68        RemoteName|contains:
69            # For https://7-zip.org/
70            - 'https://7-'
71            - 'http://7-'
72    condition: selection and not 1 of filter_optional_*
73falsepositives:
74    - Unknown
75level: high

References

• 15 Ways to Download a File

  

  This blog will cover 15 different ways to move files from your machine to a compromised system.

  
  Read More

• Java Struts2 Vulnerability Used To Install Cerber Crypto Ransomware - SANS Internet Storm Center

  

  Java Struts2 Vulnerability Used To Install Cerber Crypto Ransomware, Author: Johannes Ullrich

  
  Read More

• Bitsadmin on LOLBAS

  

  Bitsadmin.exe is a living-of-the-land file containing unexpected functionality that can be abused by attackers; this page lists all its use cases.

  
  Read More

• Breaking the silence - Recent Truebot activity

  

  Since August 2022, we have seen an increase in infections of Truebot (aka Silence.Downloader) malware. Truebot was first identified in 2017 and researchers have linked it to a threat actor called Silence Group that is responsible for several high-impact attacks on financial institutions in several countries around the world.

  
  Read More

Related rules

• BITS Transfer Job Download To Potential Suspicious Folder
• BITS Transfer Job Downloading File Potential Suspicious Extension
• BITS Transfer Job With Uncommon Or Suspicious Remote TLD
• Bitsadmin to Uncommon IP Server Address
• Bitsadmin to Uncommon TLD