Detection rules › Splunk
BITSadmin Execution (Sysmon)
BITSAdmin is a command line tool used to create and for managing background intelligent transfer
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Execution | T1197 BITS Jobs |
| Persistence | T1197 BITS Jobs |
| Stealth | T1197 BITS Jobs |
| Lateral Movement | T1570 Lateral Tool Transfer |
| Command & Control | T1105 Ingress Tool Transfer |
| Exfiltration | T1048.003 Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted Non-C2 Protocol |
References
- https://www.fireeye.com/blog/threat-research/2020/03/apt41-initiates-global-intrusion-campaign-using-multiple-exploits.html
- https://www.trendmicro.com/en_us/research/18/c/tropic-trooper-new-strategy.html
- https://www.fireeye.com/blog/threat-research/2018/03/suspected-chinese-espionage-group-targeting-maritime-and-engineering-industries.html
Event coverage
| Provider | Event | Title |
|---|---|---|
| Sysmon | Event ID 1 | Process creation |
Rule body yaml
id: '6149.15955'
title: BITSadmin Execution
description: 'BITSAdmin is a command line tool used to create and for managing background
intelligent transfer. Living Off the Land Binary and Scripts (LOLBAS) (LOLBIN) Threat
Actor Association: Andariel, APT31, APT41, BlackMatter, Darkside, FIN12, Flax Typhoon
Software Association: ALPHV/BlackCat, Astaroth, Clop, MINEBRIDGE, Nefilim, Sodinokibi/REvil,
Ransom Cartel Atomics T1105 Test#9 Atomics T1197 Test#1 Atomics T1197 Test#2 Atomics
T1197 Test#3'
logic_format: Splunk
logic: '`get_endpoint_data` `get_endpoint_data_sysmon` (TERM(EventCode=1) OR "<EventID>1<")
("bitsadmin" OR "BITS") | table _time, host, user, signature_id, process, process_*,
parent_* | bin span=1s | stats values(*) as * by _time, host '
techniques:
- persistence:bits jobs
- defense-evasion:bits jobs
- lateral-movement:lateral tool transfer
- command-and-control:ingress tool transfer
- exfiltration:exfiltration over alternative protocol:exfiltration over unencrypted
non-c2 protocol
technique_id:
- T1197
- T1048.003
- T1570
- T1105
data_category:
- Windows Sysmon
references:
- https://www.fireeye.com/blog/threat-research/2020/03/apt41-initiates-global-intrusion-campaign-using-multiple-exploits.html
- https://www.trendmicro.com/en_us/research/18/c/tropic-trooper-new-strategy.html
- https://www.fireeye.com/blog/threat-research/2018/03/suspected-chinese-espionage-group-targeting-maritime-and-engineering-industries.html
Stages and Predicates
Stage 1: search
`get_endpoint_data` `get_endpoint_data_sysmon` (TERM(EventCode=1) OR "<EventID>1<") ("bitsadmin" OR "BITS")
Stage 2: table
| table _time, host, user, signature_id, process, process_*, parent_*
Stage 3: bucket
| bin span=1s
Stage 4: stats
| stats values(*) as * by _time, host
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
EventCode | eq |
|
Search terms
Bare-string tokens in the SPL search body. Splunk matches each token against _raw (the untyped raw event text) anywhere it appears, not against a specific field. These don't surface in the Indicators table because they aren't predicates on a known field.
| Stage | Term |
|---|---|
| 1 | TERM |
| 1 | "<EventID>1<" |
| 1 | "bitsadmin" |
| 1 | "BITS" |