file where host.os.type == "windows" and event.action == "rename" and
process.name : "svchost.exe" and file.Ext.original.name : "BIT*.tmp" and
(file.extension : ("exe", "zip", "rar", "bat", "dll", "ps1", "vbs", "wsh", "js", "vbe", "pif", "scr", "cmd", "cpl") or
file.Ext.header_bytes : "4d5a*") and
/* noisy paths, for hunting purposes you can use the same query without the following exclusions */
not file.path : ("?:\\Program Files\\*", "?:\\Program Files (x86)\\*", "?:\\Windows\\*", "?:\\ProgramData\\*\\*") and
/* lot of third party SW use BITS to download executables with a long file name */
not length(file.name) > 30 and
not file.path : (
"?:\\Users\\*\\AppData\\Local\\Temp*\\wct*.tmp",
"?:\\Users\\*\\AppData\\Local\\Adobe\\ARM\\*\\RdrServicesUpdater*.exe",
"?:\\Users\\*\\AppData\\Local\\Adobe\\ARM\\*\\AcroServicesUpdater*.exe",
"?:\\Users\\*\\AppData\\Local\\Docker Desktop Installer\\update-*.exe"
)
Install detection rules in Elastic Security
Detect Ingress Transfer via Windows BITS in the Elastic Security detection engine by installing this rule into your Elastic Stack.
To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(opens in a new tab or window).