
Summary
The rule 'Ingress Transfer via Windows BITS' is designed to detect potential misuse of the Windows Background Intelligent Transfer Service (BITS) for downloading executable and archive files that may be malicious. BITS is often exploited by attackers to obscure the download process, as transfers occur in the context of a service host process, making it harder to trace back to the initiating application. The detection mechanism focuses on file renaming events involving 'svchost.exe' and temporary files with names starting with 'BIT*.tmp' on Windows systems. The detection is performed using an EQL (Event Query Language) query that checks for specific conditions related to file actions, process names, and file extensions. The rule also features a comprehensive triage guide that provides investigative steps, including analyzing BITS job properties, monitoring unusual processes, and checking the reputation of involved domains to confirm if the transfer was malicious. False positives may arise from legitimate uses of BITS. In the event of a confirmed incident, the response involves isolating affected hosts, removing malware, and applying necessary security updates.
Categories
- Endpoint
- Windows
- Cloud
Data Sources
- File
- Process
- Network Traffic
ATT&CK Techniques
- T1197
- T1105
Created: 2023-01-13