Hunting Bitsadmin usage
This query implements a multi-hypothesis threat hunting workflow to detect abuse of the Windows Background Intelligent Transfer Service (BITS). It uses a case statement to classify incoming telemetry into four distinct detection hypotheses.
EDRhuntingT1197
FDR intermediatepor Oussama AZRARA (cql-hub.com) 1 min read
Query
| case {
#event_simpleName=ProcessRollup2
AND (ImageFileName=/\\bitsadmin\.exe$/i OR OriginalFilename="bitsadmin.exe")
AND (
CommandLine=/\/transfer/i
OR CommandLine=/\/addfile/i
OR CommandLine=/\/download/i
OR CommandLine=/\/SetNotifyCmdLine/i
OR CommandLine=/\/resume/i
OR CommandLine=/https?:\/\//i
OR CommandLine=/ftp:\/\//i
)
AND NOT (
ParentBaseFileName=svchost.exe
OR ParentBaseFileName=msiexec.exe
)
| hunt_hypothesis := "H1_BITSADMIN_DIRECT_EXEC" ;
#event_simpleName=ScriptControlScanV2 OR #event_simpleName=CommandHistory
AND (
ScriptContent=/Start-BitsTransfer/i
OR ScriptContent=/Import-Module\s+BitsTransfer/i
OR ScriptContent=/BITS\.IBackgroundCopyManager/i
)
AND (
ScriptContent=/https?:\/\//i
OR ScriptContent=/\-Source/i
OR ScriptContent=/\-Destination/i
)
| hunt_hypothesis := "H2_POWERSHELL_BITSTRANSFER" ;
#event_simpleName=ProcessRollup2
AND (
CommandLine=/SetNotifyCmdLine/i
OR CommandLine=/SetMinRetryDelay/i
OR CommandLine=/SetNoProgressTimeout/i
)
AND NOT CommandLine=/Windows.Update/i
| hunt_hypothesis := "H3_BITS_PERSISTENCE" ;
#event_simpleName=ProcessRollup2
AND ImageFileName=/\\bitsadmin\.exe$/i
AND CommandLine=/getieproxy/i
| hunt_hypothesis := "H4_BITS_PROXY_RECON" ;
* | hunt_hypothesis := "NO_MATCH" ;
}
// Exclure les non-matchs
| hunt_hypothesis != "NO_MATCH"
| select([
@timestamp,
hunt_hypothesis,
ComputerName,
UserName,
UserSid,
ImageFileName,
CommandLine,
ParentBaseFileName,
ParentCommandLine,
ScriptContent,
SHA256HashData
])
| sort(@timestamp, order=desc)Explicación
Importado desde cql-hub.com. Agrega explicación de pipes aquí.
Variables a ajustar
Revisa y ajusta los valores según tu entorno.