search

last-byte / PersistenceSniper

Powershell module that can be used by Blue Teams, Incident Responders and System Administrators to hunt persistences implanted in Windows machines. Official Twitter/X account @PersistSniper. Made with ❤️ by @last0x00 and @dottor_morte
Other
1.83k stars 180 forks source link

BITS job detection added #8

Closed fkadibs closed 1 year ago

fkadibs commented 1 year ago

Added a detection for BITS persistence by checking for BITS jobs currently in an Error job state with NotifyCmdLine value present.

A malicious user can establish persistence by creating a BITS transfer that intentionally errors, such as a 404 status. The BITS service will periodically retry the transfer, including on system startup. Each time the transfer errors, the NotifyCmdLine value is executed. This technique is not identified by Sysinternals Autorun.

The Path field references the BITS Job, ID which would be used for investigation, remediation. The Value field references the NotifyCmdLine value, which is useful for identifying potential false positives.

Example output:

Hostname        : WORKSTATION
Technique       : BITS Job NotifyCmdLine
Classification  : MITRE ATT&CK T1197.003
Path            : eb957077-bd64-40d6-acf8-3408b0940a0c
Value           : calc.exe
Access Gained   : User
Note            : Windows Background Intelligent Transfer Service (BITS) can be used to persistently execute code by
                  creating long-standing jobs. Here we list jobs with an Error job state and NotifyCmdLine values,
                  where the command line value is executed each time the BITS transfer is retried.
Reference       : https://attack.mitre.org/techniques/T1197/
Signature       : Status = Valid, Subject = CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington,
                  C=US
IsBuiltinBinary : True
IsLolbin        : False
last-byte commented 1 year ago

I’ll check in the next few days and give you feedback, thanks!