Skip to content

Adding BITS DLL rule #5434

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
phantinuss merged 9 commits into from
Jun 12, 2025
Merged

Adding BITS DLL rule #5434

phantinuss merged 9 commits into from
Jun 12, 2025

Conversation

@unicornofhunt
Copy link
Contributor

@unicornofhunt unicornofhunt commented May 24, 2025
edited by phantinuss
Loading

Summary of the Pull Request

reference: https://unicornofhunt.com/2025/05/22/When-Unicorns-Go-Quiet-BITS-Jobs-and-the-Art-of-Stealthy-Transfers/

Changelog

new: BITS Client BitsProxy DLL Loaded By Uncommon Process

Example Log Event

<?xml version="1.0"?>
<DataItem type="System.XmlData" time="2025-05-24T06:26:04.7586679-07:00" sourceHealthServiceId="A18FEB8F-23F9-A8C4-0E93-245BABEE7B44">
  <EventData xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
    <Data Name="RuleName">technique_id=T1197,technique_name=BITS</Data>
    <Data Name="UtcTime">2025-05-24 13:26:04.749</Data>
    <Data Name="ProcessGuid">{f4a83506-c8dd-6831-6a0b-000000001100}</Data>
    <Data Name="ProcessId">14356</Data>
    <Data Name="Image">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
    <Data Name="ImageLoaded">C:\Windows\System32\BitsProxy.dll</Data>
    <Data Name="FileVersion">7.8.26100.1882 (WinBuild.160101.0800)</Data>
    <Data Name="Description">Background Intelligent Transfer Service Proxy</Data>
    <Data Name="Product">Microsoft&#xAE; Windows&#xAE; Operating System</Data>
    <Data Name="Company">Microsoft Corporation</Data>
    <Data Name="OriginalFileName">qmgrprxy.dll</Data>
    <Data Name="Hashes">SHA1=DDE59105E322DD0742FD582DE685B98C731B21C0,MD5=FDC8DFDBCFDC7637CEA74CECF9D580AB,SHA256=39B245CD0BF0F27241AAAFBB317AEC0D7D01DBF7750851EEF37BB319255C214D,IMPHASH=E68B2C7E33E04DC8081D5A96FEB7F59A</Data>
    <Data Name="Signed">true</Data>
    <Data Name="Signature">Microsoft Windows</Data>
    <Data Name="SignatureStatus">Valid</Data>
    <Data Name="User">unicorn\unicorn</Data>
  </EventData>
</DataItem>

SigmaHQ Rule Creation Conventions

  • If your PR adds new rules, please consider following and applying these conventions

@github-actions github-actions bot added Rules Windows Pull request add/update windows related rules labels May 24, 2025
github-actions[bot]
github-actions bot reviewed May 24, 2025
View reviewed changes
Copy link
Contributor

@github-actions github-actions bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Welcome @unicornofhunt 👋

It looks like this is your first pull request on the Sigma rules repository!

Please make sure to read the SigmaHQ conventions document to make sure your contribution is adhering to best practices and has all the necessary elements in place for a successful approval.

Thanks again, and welcome to the Sigma community! 😃

@phantinuss
Copy link
Collaborator

phantinuss commented May 26, 2025

I just ran the pipeline and there are some format errors. Please have a look and let me know if you need assistance.

@phantinuss phantinuss added the Author Input Required changes the require information from original author of the rules label May 28, 2025
phantinuss
phantinuss reviewed May 31, 2025
View reviewed changes
unicornofhunt and others added 5 commits June 2, 2025 14:00
@unicornofhunt @phantinuss
Update rules/windows/image_load/image_load_bitsproxy.yml
a3cea9d 
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
@unicornofhunt @phantinuss
Update rules/windows/image_load/image_load_bitsproxy.yml
fb8d71d 
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
@unicornofhunt @phantinuss
Update rules/windows/image_load/image_load_bitsproxy.yml
9795e9e 
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
@unicornofhunt
Update image_load_bitsproxy.yml
acd1294 
changed sev to low
@nasbench
Update and rename image_load_bitsproxy.yml to image_load_dll_bitsprox…
1113231 
…y_load_by_uncommon_process.yml
@nasbench nasbench requested a review from phantinuss June 4, 2025 16:51
@nasbench nasbench added 2nd Review Needed and removed Author Input Required changes the require information from original author of the rules labels Jun 4, 2025
@phantinuss phantinuss merged commit 0d8580a into SigmaHQ:master Jun 12, 2025
12 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@github-actions github-actions[bot] github-actions[bot] left review comments

@nasbench nasbench nasbench approved these changes

@phantinuss phantinuss phantinuss approved these changes

Assignees

No one assigned

Labels

Ready to Merge Rules Windows Pull request add/update windows related rules

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@unicornofhunt @phantinuss @nasbench