Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud.You can use bitsadmin /list /verbose to list out the jobs during investigation. In some suspicious and malicious instances, BITS jobs will be created. It's important to review all parallel and child processes to capture any behaviors and artifacts. Note that the network connection or file modification events related will not spawn or create from bitsadmin.exe, but the artifacts will appear in a parallel process of svchost.exe with a command-line similar to svchost.exe -k netsvcs -s BITS. Typically once executed, a follow on command will be used to execute the dropped file. Review the reputation of the IP or domain used. In addition, look for download or upload on the command-line, the switches are not required to perform a transfer. The following query identifies Microsoft Background Intelligent Transfer Service utility bitsadmin.exe using the transfer parameter to download a remote object.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |