Source: The DFIR Spot Author: thatdfirdude URL: https://www.thedfirspot.com/post/a-bits-of-a-problem-investigating-bits-jobs

ONE SENTENCE SUMMARY:

Background Intelligent Transfer Service (BITS) is a built-in Windows tool often abused by threat actors for malicious purposes like data transfer, persistence, and malware deployment.

MAIN POINTS:

1. BITS is a Microsoft feature enabling file downloads/uploads over HTTP, HTTPS, and SMB protocols.
2. Threat actors exploit BITS for tasks like downloading malware, persistence, and furthering access in compromised systems.
3. BITS jobs can persist after the parent application exits and last up to 90 days.
4. BITS stores job information in a database, accessible via PowerShell or BitsAdmin tools.
5. Evidence of BITS activity includes Windows Event Logs, Sysmon, PowerShell logs, and registry artifacts.
6. Malicious actors can integrate BITS with scheduled tasks, AutoRuns, or PowerShell scripts for stealthy attacks.
7. BITS is favored in “Living off the Land” (LOLBIN) tactics due to its native presence in Windows environments.
8. Limited default logging of BITS makes detection challenging without robust monitoring tools like EDR or Sysmon.
9. Investigating BITS requires analyzing execution artifacts, event logs, and database files to trace malicious actions.
10. Tools like KAPE, JPCERT artifact lists, and LOLBAS resources assist in identifying and understanding BITS abuse.

TAKEAWAYS:

1. BITS jobs enable stealthy file transfers, making them a popular choice for threat actors.
2. Detailed logging and monitoring are crucial to detect and investigate BITS-related attacks.
3. PowerShell and BitsAdmin are primary tools for creating, managing, and investigating BITS jobs.
4. Threat actors use BITS for persistence and payload delivery without triggering basic security alerts.
5. A multi-layered approach combining logs, execution artifacts, and behavioral analytics is key to combating BITS abuse.