BITS Job Persistence

Original Source: [splunk source]
Name:BITS Job Persistence
id:e97a5ffe-90bf-11eb-928a-acde48001122
version:5
date:2024-09-30
author:Michael Haag, Splunk
status:production
type:TTP
Description:The following analytic detects the use of `bitsadmin.exe` to schedule a BITS job for persistence on an endpoint. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on specific command-line parameters such as `create`, `addfile`, and `resume`. This activity is significant because BITS jobs can be used by attackers to maintain persistence, download malicious payloads, or exfiltrate data. If confirmed malicious, this could allow an attacker to persist in the environment, execute arbitrary code, or transfer sensitive information, necessitating further investigation and potential remediation.
Data_source:
  • -Sysmon EventID 1
  • -Windows Event Log Security 4688
  • -CrowdStrike ProcessRollup2
search:| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_bitsadmin` Processes.process IN (*create*, *addfile*, *setnotifyflags*, *setnotifycmdline*, *setminretrydelay*, *setcustomheaders*, *resume* ) by Processes.dest Processes.user Processes.original_file_name Processes.parent_process Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id
| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `bits_job_persistence_filter`


how_to_implement:The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.
known_false_positives:Limited false positives will be present. Typically, applications will use `BitsAdmin.exe`. Any filtering should be done based on command-line arguments (legitimate applications) or parent process.
References:
  -https://attack.mitre.org/techniques/T1197/
  -https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/bitsadmin
  -https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1197/T1197.md#atomic-test-3---persist-download--execute
  -https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/
drilldown_searches:
name:'View the detection results for - "$user$" and "$dest$"'
search:'%original_detection_search% | search user = "$user$" dest = "$dest$"'
earliest_offset:'$info_min_time$'
latest_offset:'$info_max_time$'
name:'View risk events for the last 7 days for - "$user$" and "$dest$"'
search:'| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
earliest_offset:'$info_min_time$'
latest_offset:'$info_max_time$'
tags:
  analytic_story:
    - 'BITS Jobs'
    - 'Living Off The Land'
  asset_type:Endpoint
  confidence:80
  impact:70
  message:An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to persist using BITS.
  mitre_attack_id:
    - 'T1197'
  observable:
    name:'user'
    type:'User'
    - role:
      - 'Victim'
    name:'dest'
    type:'Hostname'
    - role:
      - 'Victim'
    name:'parent_process_name'
    type:'Process'
    - role:
      - 'Attacker'
    name:'process_name'
    type:'Process'
    - role:
      - 'Attacker'
  product:
    - 'Splunk Enterprise'
    - 'Splunk Enterprise Security'
    - 'Splunk Cloud'
  required_fields:
    - '_time'
    - 'Processes.dest'
    - 'Processes.user'
    - 'Processes.parent_process_name'
    - 'Processes.parent_process'
    - 'Processes.original_file_name'
    - 'Processes.process_name'
    - 'Processes.process'
    - 'Processes.process_id'
    - 'Processes.parent_process_path'
    - 'Processes.process_path'
    - 'Processes.parent_process_id'
  risk_score:56
  security_domain:endpoint

tests:
name:'True Positive Test'
 attack_data:
  data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1197/atomic_red_team/windows-sysmon.log
  source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
  sourcetype: XmlWinEventLog
name:'True Positive Test'
 attack_data:
  data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1197/atomic_red_team/crowdstrike_falcon.log
  source: crowdstrike
  sourcetype: crowdstrike:events:sensor
manual_test:None

Related Analytic Stories


Living Off The Land

BITS Jobs