{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/attack.t1197/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Windows"],"_cs_severities":["medium"],"_cs_tags":["attack.defense-evasion","attack.persistence","attack.t1197"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThe Background Intelligent Transfer Service (BITS) is a Windows service that transfers files in the background. Attackers abuse BITS to download malware, exfiltrate data, or maintain persistence. This rule focuses on detecting BITS activity involving unusual or suspicious top-level domains (TLDs) or subdomains. Legitimate uses of BITS often involve well-known Microsoft domains or content delivery networks. Attackers may use less common TLDs or subdomains to evade detection. By monitoring BITS transfers to uncommon domains, analysts can identify potentially malicious activity that bypasses standard web filtering and intrusion detection systems. This activity started being tracked in June 2022 and continues to be relevant due to its built-in functionality within Windows.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to the system through an exploit or social engineering.\u003c/li\u003e\n\u003cli\u003eThe attacker uses PowerShell or cmd.exe to create a new BITS transfer job.\u003c/li\u003e\n\u003cli\u003eThe BITS job is configured to download a malicious payload from a remote server with an uncommon TLD.\u003c/li\u003e\n\u003cli\u003eThe BITS service initiates the download in the background.\u003c/li\u003e\n\u003cli\u003eThe malicious payload is saved to disk, often in a hidden or temporary directory.\u003c/li\u003e\n\u003cli\u003eThe attacker executes the downloaded payload using PowerShell, cmd.exe, or another scripting engine.\u003c/li\u003e\n\u003cli\u003eThe payload establishes persistence through registry keys or scheduled tasks.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their objective, such as data exfiltration, lateral movement, or ransomware deployment.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation via BITS can lead to a range of adverse outcomes, including malware infection, data theft, and system compromise. Since BITS operates in the background, users may not be aware of the malicious activity, allowing attackers to maintain persistence and control over the compromised system undetected. The lack of user interaction makes it difficult to attribute the attack to user error, complicating incident response efforts. While the exact number of victims is unknown, this technique is prevalent across various sectors due to BITS's widespread availability on Windows systems.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026quot;BITS Transfer Job With Uncommon or Suspicious Remote TLD\u0026quot; to your SIEM and tune for your environment to detect potentially malicious BITS activity.\u003c/li\u003e\n\u003cli\u003eMonitor the BITS-Client service logs on Windows endpoints for EventID 16403 to identify new transfer jobs.\u003c/li\u003e\n\u003cli\u003eInvestigate any BITS transfer jobs that involve remote names outside of the filter_main_generic list.\u003c/li\u003e\n\u003cli\u003eImplement stricter egress filtering to block connections to uncommon or suspicious TLDs.\u003c/li\u003e\n\u003cli\u003eConsider enabling Sysmon process creation logging to correlate BITS activity with subsequent process executions.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-02-bits-uncommon-tld/","summary":"Adversaries abuse Background Intelligent Transfer Service (BITS) to download malicious payloads from unusual top-level domains, bypassing traditional security measures and establishing persistence on compromised systems.","title":"BITS Transfer Job With Uncommon or Suspicious Remote TLD","url":"https://feed.craftedsignal.io/briefs/2024-01-02-bits-uncommon-tld/"}],"language":"en","title":"CraftedSignal Threat Feed - Attack.t1197","version":"https://jsonfeed.org/version/1.1"}