<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Attack.t1197 - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/tags/attack.t1197/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Tue, 02 Jan 2024 12:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/tags/attack.t1197/feed.xml" rel="self" type="application/rss+xml"/><item><title>BITS Transfer Job With Uncommon or Suspicious Remote TLD</title><link>https://feed.craftedsignal.io/briefs/2024-01-02-bits-uncommon-tld/</link><pubDate>Tue, 02 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-02-bits-uncommon-tld/</guid><description>Adversaries abuse Background Intelligent Transfer Service (BITS) to download malicious payloads from unusual top-level domains, bypassing traditional security measures and establishing persistence on compromised systems.</description><content:encoded><![CDATA[<p>The Background Intelligent Transfer Service (BITS) is a Windows service that transfers files in the background. Attackers abuse BITS to download malware, exfiltrate data, or maintain persistence. This rule focuses on detecting BITS activity involving unusual or suspicious top-level domains (TLDs) or subdomains. Legitimate uses of BITS often involve well-known Microsoft domains or content delivery networks. Attackers may use less common TLDs or subdomains to evade detection. By monitoring BITS transfers to uncommon domains, analysts can identify potentially malicious activity that bypasses standard web filtering and intrusion detection systems. This activity started being tracked in June 2022 and continues to be relevant due to its built-in functionality within Windows.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>The attacker gains initial access to the system through an exploit or social engineering.</li>
<li>The attacker uses PowerShell or cmd.exe to create a new BITS transfer job.</li>
<li>The BITS job is configured to download a malicious payload from a remote server with an uncommon TLD.</li>
<li>The BITS service initiates the download in the background.</li>
<li>The malicious payload is saved to disk, often in a hidden or temporary directory.</li>
<li>The attacker executes the downloaded payload using PowerShell, cmd.exe, or another scripting engine.</li>
<li>The payload establishes persistence through registry keys or scheduled tasks.</li>
<li>The attacker achieves their objective, such as data exfiltration, lateral movement, or ransomware deployment.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation via BITS can lead to a range of adverse outcomes, including malware infection, data theft, and system compromise. Since BITS operates in the background, users may not be aware of the malicious activity, allowing attackers to maintain persistence and control over the compromised system undetected. The lack of user interaction makes it difficult to attribute the attack to user error, complicating incident response efforts. While the exact number of victims is unknown, this technique is prevalent across various sectors due to BITS's widespread availability on Windows systems.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the Sigma rule &quot;BITS Transfer Job With Uncommon or Suspicious Remote TLD&quot; to your SIEM and tune for your environment to detect potentially malicious BITS activity.</li>
<li>Monitor the BITS-Client service logs on Windows endpoints for EventID 16403 to identify new transfer jobs.</li>
<li>Investigate any BITS transfer jobs that involve remote names outside of the filter_main_generic list.</li>
<li>Implement stricter egress filtering to block connections to uncommon or suspicious TLDs.</li>
<li>Consider enabling Sysmon process creation logging to correlate BITS activity with subsequent process executions.</li>
</ul>
]]></content:encoded><category domain="severity">medium</category><category domain="type">advisory</category><category>attack.defense-evasion</category><category>attack.persistence</category><category>attack.t1197</category></item></channel></rss>