From 207993aa63ee5a36e398540ccb59fde274d0e8da Mon Sep 17 00:00:00 2001
From: akshat4703 <akshat4703@gmail.com>
Date: Wed, 11 Mar 2026 13:21:18 +0530
Subject: [PATCH] refine BITS rules and add PendingFileRenameOperations
 persistence rule

---
 communication/http/client/create-bits-job.yml | 11 +++-----
 .../http/client/transfer-files-via-bits.yml   | 26 +++++++++++++++++++
 nursery/persist-via-bits-job.yml              | 10 +++----
 ...ingfilerenameoperations-registry-value.yml | 21 +++++++++++++++
 4 files changed, 56 insertions(+), 12 deletions(-)
 create mode 100644 communication/http/client/transfer-files-via-bits.yml
 create mode 100644 nursery/persist-via-pendingfilerenameoperations-registry-value.yml

diff --git a/communication/http/client/create-bits-job.yml b/communication/http/client/create-bits-job.yml
index 85ad67047..ac9171546 100644
--- a/communication/http/client/create-bits-job.yml
+++ b/communication/http/client/create-bits-job.yml
@@ -5,7 +5,7 @@ rule:
     namespace: communication/http/client
     authors:
       - "@mr-tz"
-    description: BITS jobs can be used to download data or achieve persistence (via SetNotifyCmdLine)
+    description: create a Windows BITS job via COM or command-line tooling
     scopes:
       static: function
       dynamic: unsupported  # requires offset, bytes features
@@ -17,13 +17,10 @@ rule:
     examples:
       - 08ac667c65d36d6542917655571e61c8.exe_:0x401E78
   features:
-    - and:
+    - or:
       - and:
         - bytes: 0D 4C E3 5C C9 0D 1F 4C 89 7C DA A1 B7 8C EE 7C = IBackgroundCopyManager
         - bytes: 4B D3 91 49 A1 80 91 42 83 B6 33 28 36 6B 90 97 = BITS_ControlClass
         - offset: 0xC = IBackgroundCopyManagerVtbl.CreateJob
-        - offset: 0x10 = IBackgroundCopyJobVtbl.AddFile
-      - optional:
-        - description: SetNotifyCmdLine may be use to persist
-        - bytes: 39 07 B5 54 6F 68 EB 45 9D FF D6 A9 A0 FA A9 AF = IBackgroundCopyJob2
-        - offset: 0x8C = IBackgroundCopyJob2Vtbl.SetNotifyCmdLine
+      - string: /\bbitsadmin(?:\.exe)?\b.{0,80}\b\/create\b/i
+      - string: /\bStart-BitsTransfer\b/i
diff --git a/communication/http/client/transfer-files-via-bits.yml b/communication/http/client/transfer-files-via-bits.yml
new file mode 100644
index 000000000..683830f5f
--- /dev/null
+++ b/communication/http/client/transfer-files-via-bits.yml
@@ -0,0 +1,26 @@
+rule:
+  meta:
+    name: transfer files via BITS
+    namespace: communication/http/client
+    authors:
+      - akshat4703
+    description: transfer files using a BITS job
+    scopes:
+      static: function
+      dynamic: unsupported  # requires offset, bytes features
+    att&ck:
+      - Defense Evasion::BITS Jobs [T1197]
+    references:
+      - https://cloud.google.com/blog/topics/threat-intelligence/attacker-use-of-windows-background-intelligent-transfer-service/
+      - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/bitsadmin
+      - https://learn.microsoft.com/en-us/powershell/module/bitstransfer/start-bitstransfer
+    examples:
+      - 08ac667c65d36d6542917655571e61c8.exe_:0x401E78
+  features:
+    - and:
+      - match: create BITS job
+      - or:
+        - offset: 0x10 = IBackgroundCopyJobVtbl.AddFile
+        - string: /\bbitsadmin(?:\.exe)?\b.{0,80}\b\/addfile\b/i
+        - string: /\bbitsadmin(?:\.exe)?\b.{0,80}\b\/transfer\b/i
+        - string: /\bSet-BitsTransfer\b/i
diff --git a/nursery/persist-via-bits-job.yml b/nursery/persist-via-bits-job.yml
index fdd32715c..5228a768e 100644
--- a/nursery/persist-via-bits-job.yml
+++ b/nursery/persist-via-bits-job.yml
@@ -16,10 +16,10 @@ rule:
       - match: host-interaction/process/create
       - or:
         - and:
-          - string: /bitsadmin(|\.exe) /i
-          - string: /\/SetNotifyCmdLine/i
+          - string: /\bbitsadmin(?:\.exe)?\b/i
+          - string: /\b\/SetNotifyCmdLine\b/i
         - and:
           - or:
-            - string: /Set-BitsTransfer /i
-            - string: /Start-BitsTransfer /i
-          - string: / -NotifyCmdLine /i
+            - string: /\bSet-BitsTransfer\b/i
+            - string: /\bStart-BitsTransfer\b/i
+          - string: /\b-NotifyCmdLine\b/i
diff --git a/nursery/persist-via-pendingfilerenameoperations-registry-value.yml b/nursery/persist-via-pendingfilerenameoperations-registry-value.yml
new file mode 100644
index 000000000..fd9921beb
--- /dev/null
+++ b/nursery/persist-via-pendingfilerenameoperations-registry-value.yml
@@ -0,0 +1,21 @@
+rule:
+  meta:
+    name: persist via PendingFileRenameOperations registry value
+    namespace: persistence/registry
+    authors:
+      - akshat4703
+    description: persist by queuing file rename or delete operations via Session Manager at next reboot
+    scopes:
+      static: function
+      dynamic: span of calls
+    att&ck:
+      - Persistence::Boot or Logon Autostart Execution::Registry Run Keys / Startup Folder [T1547.001]
+    references:
+      - https://learn.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-movefileexa
+      - https://forensicatorj.wordpress.com/2014/06/25/interpreting-the-pendingfilerenameoperations-registry-key-for-forensics/
+    examples:
+      - ac742739cae0d411dfcb78ae99a7baee:0x140002318
+  features:
+    - and:
+      - match: set registry value
+      - string: /\bSystem\\(ControlSet\d{3}|CurrentControlSet)\\Control\\Session Manager\\PendingFileRenameOperations\b/i