Remove COM usage detection from BITS jobs persistence

mandiant · Nov 22, 2024 · 5873d7f · 5873d7f
1 parent 82a9d40
commit 5873d7f
Showing 1 changed file with 11 additions and 15 deletions.
diff --git a/nursery/persist-via-bits-job.yml b/nursery/persist-via-bits-job.yml
@@ -12,18 +12,14 @@ rule:
     references:
       - https://cloud.google.com/blog/topics/threat-intelligence/attacker-use-of-windows-background-intelligent-transfer-service/
   features:
-    - or:
-      - and:
-        - api: ole32.CoCreateInstance
-        - com/class: BackgroundCopyManager # 4991d34b-80a1-4291-83b6-3328366b9097
-      - and:
-        - match: host-interaction/process/create
-        - or:
-          - and:
-            - string: /bitsadmin(|\.exe) /i
-            - string: /\/SetNotifyCmdLine/i
-          - and:
-            - or:
-              - string: /Set-BitsTransfer /i
-              - string: /Start-BitsTransfer /i
-            - string: / -NotifyCmdLine /i
+    - and:
+      - match: host-interaction/process/create
+      - or:
+        - and:
+          - string: /bitsadmin(|\.exe) /i
+          - string: /\/SetNotifyCmdLine/i
+        - and:
+          - or:
+            - string: /Set-BitsTransfer /i
+            - string: /Start-BitsTransfer /i
+          - string: / -NotifyCmdLine /i