create BITS job

# generated using capa explorer for IDA Pro
rule:
  meta:
    name: create BITS job
    namespace: communication/http/client
    authors:
      - "@mr-tz"
    description: BITS jobs can be used to download data or achieve persistence (via SetNotifyCmdLine)
    scopes:
      static: function
      dynamic: unsupported  # requires offset, bytes features
    att&ck:
      - Defense Evasion::BITS Jobs [T1197]
      - Persistence::BITS Jobs [T1197]
    references:
      - https://www.mandiant.com/resources/attacker-use-of-windows-background-intelligent-transfer-service
    examples:
      - 08ac667c65d36d6542917655571e61c8.exe_:0x401E78
  features:
    - and:
      - and:
        - bytes: 0D 4C E3 5C C9 0D 1F 4C 89 7C DA A1 B7 8C EE 7C = IBackgroundCopyManager
        - bytes: 4B D3 91 49 A1 80 91 42 83 B6 33 28 36 6B 90 97 = BITS_ControlClass
        - offset: 0xC = IBackgroundCopyManagerVtbl.CreateJob
        - offset: 0x10 = IBackgroundCopyJobVtbl.AddFile
      - optional:
        - description: SetNotifyCmdLine may be use to persist
        - bytes: 39 07 B5 54 6F 68 EB 45 9D FF D6 A9 A0 FA A9 AF = IBackgroundCopyJob2
        - offset: 0x8C = IBackgroundCopyJob2Vtbl.SetNotifyCmdLine