Windows BITS transfer job downloaded to suspicious folder

This rule is part of a beta feature. To learn more, contact Support.
windows

Classification:

attack

Tactic:

TA0003-persistence

Technique:

T1071-application-layer-protocol

이 페이지는 아직 영어로 제공되지 않습니다. 번역 작업 중입니다.
현재 번역 프로젝트에 대한 질문이나 피드백이 있으신 경우 언제든지 연락주시기 바랍니다.

Goal

Detects BITS transfer jobs that download files to suspicious folders such as Desktop, Public, or PerfLogs.

Strategy

This rule monitors for Windows event ID 16403, which records when BITS transfer jobs are created. BITS is a Windows service that provides file transfer functionality and can operate in the background and resume after interruptions. This capability is particularly concerning because BITS runs with SYSTEM privileges and can continue transfers even when users are logged off.

The query examines the @Event.EventData.Data.LocalName field to identify suspicious destination paths including Desktop, Public, or PerfLogs folders. Legitimate software rarely uses BITS to download directly to user-accessible locations such as these. Instead, most legitimate applications download to temporary locations first before moving files to their final destination.

When attackers use BITS to download files to these unusual locations, they gain immediate user visibility and execution opportunities. Downloads to locations like Desktop provide easy access to malicious payloads, while Public folders offer executable access to all users on the system.

Triage & Response

  • Identify the specific BITS job on {{host}} and examine both the source URL and exact destination path in the suspicious folder.
  • Determine which user account or process initiated the BITS job by reviewing the security context.
  • Analyze the downloaded file for malicious content using sandbox analysis or antivirus scanning.
  • Examine process creation events that might be associated with executing the downloaded file.
  • Verify if other systems in the environment have similar BITS jobs downloading to suspicious locations.
  • Check for persistence mechanisms established via the downloaded files, including scheduled tasks, registry autorun keys, startup folder items, and Windows services.
  • Remove any suspicious BITS jobs with Remove-BitsTransfer and delete associated downloaded files.
  • Implement application control policies to prevent execution from user-accessible folders.