refine BITS rules and add pendingfilerenameoperations persistence rule

Author: akshat4703

communication/http/client/create-bits-job.yml

@@ -5,7 +5,7 @@ rule:
     namespace: communication/http/client
     authors:
       - "@mr-tz"
-    description: BITS jobs can be used to download data or achieve persistence (via SetNotifyCmdLine)
+    description: create a Windows BITS job via COM or command-line tooling
     scopes:
       static: function
       dynamic: unsupported  # requires offset, bytes features
@@ -17,13 +17,10 @@ rule:
     examples:
       - 08ac667c65d36d6542917655571e61c8.exe_:0x401E78
   features:
-    - and:
+    - or:
       - and:
         - bytes: 0D 4C E3 5C C9 0D 1F 4C 89 7C DA A1 B7 8C EE 7C = IBackgroundCopyManager
         - bytes: 4B D3 91 49 A1 80 91 42 83 B6 33 28 36 6B 90 97 = BITS_ControlClass
         - offset: 0xC = IBackgroundCopyManagerVtbl.CreateJob
-        - offset: 0x10 = IBackgroundCopyJobVtbl.AddFile
-      - optional:
-        - description: SetNotifyCmdLine may be use to persist
-        - bytes: 39 07 B5 54 6F 68 EB 45 9D FF D6 A9 A0 FA A9 AF = IBackgroundCopyJob2
-        - offset: 0x8C = IBackgroundCopyJob2Vtbl.SetNotifyCmdLine
+      - string: /\bbitsadmin(?:\.exe)?\b.{0,80}\b\/create\b/i
+      - string: /\bStart-BitsTransfer\b/i

communication/http/client/transfer-files-via-bits.yml

@@ -4,29 +4,23 @@ rule:
     namespace: communication/http/client
     authors:
       - akshat4703
-    description: detect file transfer via Windows Background Intelligent Transfer Service (BITS), excluding persistence-focused NotifyCmdLine usage
+    description: transfer files using a BITS job
     scopes:
       static: function
-      dynamic: call
+      dynamic: unsupported  # requires offset, bytes features
     att&ck:
       - Defense Evasion::BITS Jobs [T1197]
     references:
-      - https://www.mandiant.com/resources/attacker-use-of-windows-background-intelligent-transfer-service
-      - https://learn.microsoft.com/en-us/windows/win32/bits/background-intelligent-transfer-service-portal
+      - https://cloud.google.com/blog/topics/threat-intelligence/attacker-use-of-windows-background-intelligent-transfer-service/
+      - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/bitsadmin
+      - https://learn.microsoft.com/en-us/powershell/module/bitstransfer/start-bitstransfer
     examples:
       - 08ac667c65d36d6542917655571e61c8.exe_:0x401E78
   features:
-    - or:
+    - and:
       - match: create BITS job
-      - and:
-        - match: host-interaction/process/create
-        - or:
-          - and:
-            - string: /\bbitsadmin(\.exe)?\b/i
-            - string: /\/(transfer|addfile)\b/i
-          - string: /\bStart-BitsTransfer\b/i
-          - string: /Set-BitsTransfer /i
-        - not:
-          - string: /\/SetNotifyCmdLine\b/i
-        - not:
-          - string: /\s-NotifyCmdLine\b/i
+      - or:
+        - offset: 0x10 = IBackgroundCopyJobVtbl.AddFile
+        - string: /\bbitsadmin(?:\.exe)?\b.{0,80}\b\/addfile\b/i
+        - string: /\bbitsadmin(?:\.exe)?\b.{0,80}\b\/transfer\b/i
+        - string: /\bSet-BitsTransfer\b/i

nursery/persist-via-bits-job.yml

@@ -16,10 +16,10 @@ rule:
       - match: host-interaction/process/create
       - or:
         - and:
-          - string: /bitsadmin(|\.exe) /i
-          - string: /\/SetNotifyCmdLine/i
+          - string: /\bbitsadmin(?:\.exe)?\b/i
+          - string: /\b\/SetNotifyCmdLine\b/i
         - and:
           - or:
-            - string: /Set-BitsTransfer /i
-            - string: /Start-BitsTransfer /i
-          - string: / -NotifyCmdLine /i
+            - string: /\bSet-BitsTransfer\b/i
+            - string: /\bStart-BitsTransfer\b/i
+          - string: /\b-NotifyCmdLine\b/i

nursery/persist-via-pendingfilerenameoperations-registry-value.yml

@@ -4,18 +4,18 @@ rule:
     namespace: persistence/registry
     authors:
       - akshat4703
+    description: persist by queuing file rename or delete operations via Session Manager at next reboot
     scopes:
       static: function
       dynamic: span of calls
+    att&ck:
+      - Persistence::Boot or Logon Autostart Execution::Registry Run Keys / Startup Folder [T1547.001]
     references:
       - https://learn.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-movefileexa
       - https://forensicatorj.wordpress.com/2014/06/25/interpreting-the-pendingfilerenameoperations-registry-key-for-forensics/
     examples:
       - ac742739cae0d411dfcb78ae99a7baee:0x140002318
   features:
     - and:
-      - or:
-        - match: set registry value
-        - number: 0x80000002 = HKEY_LOCAL_MACHINE
-      - string: /System\\(ControlSet\d{3}|CurrentControlSet)\\Control\\Session Manager/i
-      - string: /PendingFileRenameOperations/i
+      - match: set registry value
+      - string: /\bSystem\\(ControlSet\d{3}|CurrentControlSet)\\Control\\Session Manager\\PendingFileRenameOperations\b/i