Attack Chain

1. An attacker gains initial access to a system (e.g., through phishing or exploiting a vulnerability).
2. The attacker uses a script or command-line interface (e.g., PowerShell) to create a BITS job.
3. The BITS job is configured to download a malicious executable or archive from a remote server using the bitsadmin.exe utility.
4. BITS downloads the file to a temporary location on the system with a BIT*.tmp extension.
5. The svchost.exe process renames the temporary file to its final name and extension (e.g., .exe, .zip).
6. The attacker executes the downloaded file, initiating further malicious activities.
7. The malware establishes persistence through registry keys or scheduled tasks.
8. The malware communicates with a command and control (C2) server to receive instructions and exfiltrate data.

Impact

Successful exploitation enables attackers to download and execute arbitrary code on compromised systems. The use of BITS can bypass traditional security measures, leading to malware infections, data theft, and potentially full system compromise. This technique can be used in conjunction with other attack vectors to establish a persistent foothold within the network. While the rule itself triggers at low severity, the identified activity can be an early warning of more severe attack stages.

Recommendation

• Deploy the “Ingress Transfer via Windows BITS” Sigma rule to your SIEM and tune for your environment.
• Enable Sysmon file creation and process creation logging to enhance visibility into BITS-related activities.
• Monitor network connections initiated by svchost.exe to identify potentially malicious downloads.
• Investigate any instances of bitsadmin.exe being executed, especially with command-line arguments indicative of suspicious downloads.
• Review Microsoft-Windows-Bits-Client/Operational Windows logs (event ID 59) for unusual BITS events.
• Block known malicious domains or IP addresses associated with BITS-related attacks at the firewall or DNS resolver.