BITS Jobs
Adversaries may abuse BITS jobs to persistently execute code and perform various background tasks. Windows Background Intelligent Transfer Service (BITS) is a low-bandwidth, asynchronous file transfer mechanism exposed through Component Object Model (COM).(Citation: Microsoft COM)(Citation: Microsoft BITS) BITS is commonly used by updaters, messengers, and other applications preferred to operate in the background (using available idle bandwidth) without interrupting other networked applications. File transfer tasks are implemented as BITS jobs, which contain a queue of one or more file operations. The interface to create and manage BITS jobs is accessible through PowerShell and the BITSAdmin tool.(Citation: Microsoft BITS)(Citation: Microsoft BITSAdmin) Adversaries may abuse BITS to download (e.g. Ingress Tool Transfer), execute, and even clean up after running malicious code (e.g. Indicator Removal). BITS tasks are self-contained in the BITS job database, without new files or registry modifications, and often permitted by host firewalls.(Citation: CTU BITS Malware June 2016)(Citation: Mondok Windows PiggyBack BITS May 2007)(Citation: Symantec BITS May 2007) BITS enabled execution may also enable persistence by creating long-standing jobs (the default maximum lifetime is 90 days and extendable) or invoking an arbitrary program when a job completes or errors (including after system reboots).(Citation: PaloAlto UBoatRAT Nov 2017)(Citation: CTU BITS Malware June 2016) BITS upload functionalities can also be used to perform Exfiltration Over Alternative Protocol.(Citation: CTU BITS Malware June 2016)
Procedure Examples |
|
Name | Description |
---|---|
MarkiRAT |
MarkiRAT can use BITS Utility to connect with the C2 server.(Citation: Kaspersky Ferocious Kitten Jun 2021) |
Patchwork |
Patchwork has used BITS jobs to download malicious payloads.(Citation: Unit 42 BackConfig May 2020) |
Bazar |
Bazar has been downloaded via Windows BITS functionality.(Citation: NCC Group Team9 June 2020) |
Cobalt Strike |
Cobalt Strike can download a hosted "beacon" payload using BITSAdmin.(Citation: CobaltStrike Scripted Web Delivery)(Citation: Talos Cobalt Strike September 2020)(Citation: Cobalt Strike Manual 4.3 November 2020) |
Egregor |
Egregor has used BITSadmin to download and execute malicious DLLs.(Citation: Intrinsec Egregor Nov 2020) |
Cobalt Strike |
Cobalt Strike can download a hosted "beacon" payload using BITSAdmin.(Citation: CobaltStrike Scripted Web Delivery) |
JPIN |
A JPIN variant downloads the backdoor payload via the BITS service.(Citation: Microsoft PLATINUM April 2016) |
UBoatRAT |
UBoatRAT takes advantage of the /SetNotifyCmdLine option in BITSAdmin to ensure it stays running on a system to maintain persistence.(Citation: PaloAlto UBoatRAT Nov 2017) |
ProLock |
ProLock can use BITS jobs to download its malicious payload.(Citation: Group IB Ransomware September 2020) |
Leviathan |
Leviathan has used BITSAdmin to download additional tools.(Citation: FireEye Periscope March 2018) |
APT39 |
APT39 has used the BITS protocol to exfiltrate stolen data from a compromised host.(Citation: FBI FLASH APT39 September 2020) |
BITSAdmin |
BITSAdmin can be used to create BITS Jobs to launch a malicious process.(Citation: TrendMicro Tropic Trooper Mar 2018) |
APT41 |
APT41 used BITSAdmin to download and install payloads.(Citation: FireEye APT41 March 2020)(Citation: Crowdstrike GTR2020 Mar 2020) |
Mitigations |
|
Mitigation | Description |
---|---|
User Account Management |
Manage the creation, modification, use, and permissions associated to user accounts. |
BITS Jobs Mitigation |
This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of operating system design features. For example, disabling all BITS functionality will likely have unintended side effects, such as preventing legitimate software patching and updating. Efforts should be focused on preventing adversary tools from running earlier in the chain of activity and on identification of subsequent malicious behavior. (Citation: Mondok Windows PiggyBack BITS May 2007)
Modify network and/or host firewall rules, as well as other network controls, to only allow legitimate BITS traffic.
Consider limiting access to the BITS interface to specific users or groups. (Citation: Symantec BITS May 2007)
Consider reducing the default BITS job lifetime in Group Policy or by editing the |
Filter Network Traffic |
Use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic. |
Operating System Configuration |
Make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques. |
Detection
BITS runs as a service and its status can be checked with the Sc query utility (sc query bits
).(Citation: Microsoft Issues with BITS July 2011) Active BITS tasks can be enumerated using the BITSAdmin tool (bitsadmin /list /allusers /verbose
).(Citation: Microsoft BITS)
Monitor usage of the BITSAdmin tool (especially the ‘Transfer’, 'Create', 'AddFile', 'SetNotifyFlags', 'SetNotifyCmdLine', 'SetMinRetryDelay', 'SetCustomHeaders', and 'Resume' command options)(Citation: Microsoft BITS) Admin logs, PowerShell logs, and the Windows Event log for BITS activity.(Citation: Elastic - Hunting for Persistence Part 1) Also consider investigating more detailed information about jobs by parsing the BITS job database.(Citation: CTU BITS Malware June 2016)
Monitor and analyze network activity generated by BITS. BITS jobs use HTTP(S) and SMB for remote connections and are tethered to the creating user and will only function when that user is logged on (this rule applies even if a user attaches the job to a service account).(Citation: Microsoft BITS)
References
- Strategic Cyber, LLC. (n.d.). Scripted Web Delivery. Retrieved January 23, 2018.
- Mondok, M. (2007, May 11). Malware piggybacks on Windows’ Background Intelligent Transfer Service. Retrieved January 12, 2018.
- Microsoft. (n.d.). Component Object Model (COM). Retrieved November 22, 2017.
- Microsoft. (n.d.). BITSAdmin Tool. Retrieved January 12, 2018.
- Microsoft. (n.d.). Background Intelligent Transfer Service. Retrieved January 12, 2018.
- Microsoft. (2011, July 19). Issues with BITS. Retrieved January 12, 2018.
- Hayashi, K. (2017, November 28). UBoatRAT Navigates East Asia. Retrieved January 12, 2018.
- French, D., Murphy, B. (2020, March 24). Adversary tradecraft 101: Hunting for persistence using Elastic Security (Part 1). Retrieved December 21, 2020.
- Florio, E. (2007, May 9). Malware Update with Windows Update. Retrieved January 12, 2018.
- Counter Threat Unit Research Team. (2016, June 6). Malware Lingers with BITS. Retrieved January 12, 2018.
- Bichet, J. (2020, November 12). Egregor – Prolock: Fraternal Twins ?. Retrieved January 6, 2021.
- Group IB. (2020, September). LOCK LIKE A PRO. Retrieved September 27, 2021.
- GReAT. (2021, June 16). Ferocious Kitten: 6 Years of Covert Surveillance in Iran. Retrieved September 22, 2021.
- Windows Defender Advanced Threat Hunting Team. (2016, April 29). PLATINUM: Targeted attacks in South and Southeast Asia. Retrieved February 15, 2018.
- Crowdstrike. (2020, March 2). 2020 Global Threat Report. Retrieved December 11, 2020.
- Glyer, C, et al. (2020, March). This Is Not a Test: APT41 Initiates Global Intrusion Campaign Using Multiple Exploits. Retrieved April 28, 2020.
- Strategic Cyber LLC. (2020, November 5). Cobalt Strike: Advanced Threat Tactics for Penetration Testers. Retrieved April 13, 2021.
- Mavis, N. (2020, September 21). The Art and Science of Detecting Cobalt Strike. Retrieved April 6, 2021.
- Horejsi, J., et al. (2018, March 14). Tropic Trooper’s New Strategy. Retrieved November 9, 2018.
- FireEye. (2018, March 16). Suspected Chinese Cyber Espionage Group (TEMP.Periscope) Targeting U.S. Engineering and Maritime Industries. Retrieved April 11, 2018.
- Pantazopoulos, N. (2020, June 2). In-depth analysis of the new Team9 malware family. Retrieved December 1, 2020.
- Hinchliffe, A. and Falcone, R. (2020, May 11). Updated BackConfig Malware Targeting Government and Military Organizations in South Asia. Retrieved June 17, 2020.
- FBI. (2020, September 17). Indicators of Compromise Associated with Rana Intelligence Computing, also known as Advanced Persistent Threat 39, Chafer, Cadelspy, Remexi, and ITG07. Retrieved December 10, 2020.
Связанные риски
Риск | Связи | |
---|---|---|
Обход систем защиты из-за
возможности создания заданий Windows Background Intelligent Transfer (BITS) в ОС Windows
Повышение привилегий
Целостность
|
|
|
Закрепление злоумышленника в ОС из-за
возможности создания заданий Windows Background Intelligent Transfer (BITS) в ОС Windows
Повышение привилегий
НСД
|
|
|
Передача данных по скрытым каналам из-за
возможности создания заданий Windows Background Intelligent Transfer (BITS) в ОС Windows
Конфиденциальность
Раскрытие информации
|
|
Каталоги
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.