[metadata] creation_date = "2023/01/13" integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" updated_date = "2023/02/22" [rule] author = ["Elastic"] description = """ Identifies downloads of executable and archive files via the Windows Background Intelligent Transfer Service (BITS). Adversaries could leverage Windows BITS transfer jobs to download remote payloads. """ from = "now-9m" index = ["logs-endpoint.events.*"] language = "eql" license = "Elastic License v2" name = "Ingress Transfer via Windows BITS" references = ["https://attack.mitre.org/techniques/T1197/"] risk_score = 21 rule_id = "f95972d3-c23b-463b-89a8-796b3f369b49" severity = "low" tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "Command and Control"] timestamp_override = "event.ingested" type = "eql" query = ''' file where host.os.type == "windows" and event.action == "rename" and process.name : "svchost.exe" and file.Ext.original.name : "BIT*.tmp" and (file.extension :("exe", "zip", "rar", "bat", "dll", "ps1", "vbs", "wsh", "js", "vbe", "pif", "scr", "cmd", "cpl") or file.Ext.header_bytes : "4d5a*") and /* noisy paths, for hunting purposes you can use the same query without the following exclusions */ not file.path : ("?:\\Program Files\\*", "?:\\Program Files (x86)\\*", "?:\\Windows\\*", "?:\\ProgramData\\*\\*") and /* lot of third party SW use BITS to download executables with a long file name */ not length(file.name) > 30 ''' [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1105" name = "Ingress Tool Transfer" reference = "https://attack.mitre.org/techniques/T1105/" [rule.threat.tactic] id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1197" name = "BITS Jobs" reference = "https://attack.mitre.org/techniques/T1197/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/"