Threat Huntlowexperimental
BITS Client BitsProxy DLL Loaded By Uncommon Process
Detects an uncommon process loading the "BitsProxy.dll". This DLL is used when the BITS COM instance or API is used. This detection can be used to hunt for uncommon processes loading this DLL in your environment. Which may indicate potential suspicious activity occurring.
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Hunting Hypothesis
Log Source
WindowsImage Load (DLL)
ProductWindows← raw: windows
CategoryImage Load (DLL)← raw: image_load
Detection Logic
Detection Logic3 selectors
detection:
selection:
ImageLoaded|endswith: '\BitsProxy.dll'
filter_main_system:
Image:
- 'C:\Windows\System32\aitstatic.exe'
- 'C:\Windows\System32\bitsadmin.exe'
- 'C:\Windows\System32\desktopimgdownldr.exe'
- 'C:\Windows\System32\DeviceEnroller.exe'
- 'C:\Windows\System32\MDMAppInstaller.exe'
- 'C:\Windows\System32\ofdeploy.exe'
- 'C:\Windows\System32\RecoveryDrive.exe'
- 'C:\Windows\System32\Speech_OneCore\common\SpeechModelDownload.exe'
# - 'C:\Windows\System32\svchost.exe' # BITS Service - If you collect CommandLine info. Apply a filter for the specific BITS service.
- 'C:\Windows\SysWOW64\bitsadmin.exe'
- 'C:\Windows\SysWOW64\OneDriveSetup.exe'
- 'C:\Windows\SysWOW64\Speech_OneCore\Common\SpeechModelDownload.exe'
filter_optional_chrome:
Image: 'C:\Program Files\Google\Chrome\Application\chrome.exe'
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*False Positives
Allowed binaries in the environment that do BITS Jobs
References
MITRE ATT&CK
Techniques
Other
detection.threat-hunting
Rule Metadata
Rule ID
e700ff14-1bff-4d1d-9438-738dff5f0466
Status
experimental
Level
low
Type
Threat Hunt
Created
Wed Jun 04
Author
Path
rules-threat-hunting/windows/image_load/image_load_dll_bitsproxy_load_by_uncommon_process.yml
Raw Tags
attack.defense-evasionattack.persistenceattack.t1197detection.threat-hunting