BITS Transfer Job Download From Direct IP

 1title: BITS Transfer Job Download From Direct IP
 2id: 90f138c1-f578-4ac3-8c49-eecfd847c8b7
 3related:
 4    - id: 99c840f2-2012-46fd-9141-c761987550ef
 5      type: similar
 6status: test
 7description: Detects a BITS transfer job downloading file(s) from a direct IP address.
 8references:
 9    - https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin
10    - https://isc.sans.edu/diary/22264
11    - https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/
12    - https://blog.talosintelligence.com/breaking-the-silence-recent-truebot-activity/
13author: Nasreddine Bencherchali (Nextron Systems)
14date: 2023-01-11
15modified: 2023-03-27
16tags:
17    - attack.persistence
18    - attack.execution
19    - attack.stealth
20    - attack.t1197
21logsource:
22    product: windows
23    service: bits-client
24detection:
25    selection:
26        EventID: 16403
27        RemoteName|contains:
28            - 'http://1'
29            - 'http://2'
30            - 'http://3'
31            - 'http://4'
32            - 'http://5'
33            - 'http://6'
34            - 'http://7'
35            - 'http://8'
36            - 'http://9'
37            - 'https://1'
38            - 'https://2'
39            - 'https://3'
40            - 'https://4'
41            - 'https://5'
42            - 'https://6'
43            - 'https://7'
44            - 'https://8'
45            - 'https://9'
46    filter_optional_local_networks:
47        RemoteName|contains:
48            - '://10.' # 10.0.0.0/8
49            - '://192.168.' # 192.168.0.0/16
50            - '://172.16.' # 172.16.0.0/12
51            - '://172.17.'
52            - '://172.18.'
53            - '://172.19.'
54            - '://172.20.'
55            - '://172.21.'
56            - '://172.22.'
57            - '://172.23.'
58            - '://172.24.'
59            - '://172.25.'
60            - '://172.26.'
61            - '://172.27.'
62            - '://172.28.'
63            - '://172.29.'
64            - '://172.30.'
65            - '://172.31.'
66            - '://127.' # 127.0.0.0/8
67            - '://169.254.' # 169.254.0.0/16
68    filter_optional_seven_zip:
69        RemoteName|contains:
70            # For https://7-zip.org/
71            - 'https://7-'
72            - 'http://7-'
73    condition: selection and not 1 of filter_optional_*
74falsepositives:
75    - Unknown
76level: high

References

• 15 Ways to Download a File

  

  This blog will cover 15 different ways to move files from your machine to a compromised system.

  
  Read More

• Java Struts2 Vulnerability Used To Install Cerber Crypto Ransomware

  

  Java Struts2 Vulnerability Used To Install Cerber Crypto Ransomware, Author: Johannes Ullrich

  
  Read More

• Bitsadmin on LOLBAS

  

  Bitsadmin.exe is a living-of-the-land file containing unexpected functionality that can be abused by attackers; this page lists all its use cases.

  
  Read More

• Breaking the silence - Recent Truebot activity

  

  Since August 2022, we have seen an increase in infections of Truebot (aka Silence.Downloader) malware. Truebot was first identified in 2017 and researchers have linked it to a threat actor called Silence Group that is responsible for several high-impact attacks on financial institutions in several countries around the world.

  
  Read More

Related rules

• BITS Transfer Job Download From File Sharing Domains
• BITS Transfer Job Download To Potential Suspicious Folder
• BITS Transfer Job Downloading File Potential Suspicious Extension
• BITS Transfer Job With Uncommon Or Suspicious Remote TLD
• Bitsadmin to Uncommon IP Server Address