Source: The DFIR Spot Author: thatdfirdude URL: https://www.thedfirspot.com/post/a-bits-of-a-problem-investigating-bits-jobs
-
ONE SENTENCE SUMMARY: Background Intelligent Transfer Service (BITS) is a built-in Windows tool often abused by threat actors for malicious purposes like data transfer, persistence, and malware deployment.
-
MAIN POINTS:
-
BITS is a Microsoft feature enabling file downloads/uploads over HTTP, HTTPS, and SMB protocols.
-
Threat actors exploit BITS for tasks like downloading malware, persistence, and furthering access in compromised systems.
-
BITS jobs can persist after the parent application exits and last up to 90 days.
-
BITS stores job information in a database, accessible via PowerShell or BitsAdmin tools.
-
Evidence of BITS activity includes Windows Event Logs, Sysmon, PowerShell logs, and registry artifacts.
-
Malicious actors can integrate BITS with scheduled tasks, AutoRuns, or PowerShell scripts for stealthy attacks.
-
BITS is favored in “Living off the Land” (LOLBIN) tactics due to its native presence in Windows environments.
-
Limited default logging of BITS makes detection challenging without robust monitoring tools like EDR or Sysmon.
-
Investigating BITS requires analyzing execution artifacts, event logs, and database files to trace malicious actions.
-
Tools like KAPE, JPCERT artifact lists, and LOLBAS resources assist in identifying and understanding BITS abuse.
-
TAKEAWAYS:
-
BITS jobs enable stealthy file transfers, making them a popular choice for threat actors.
-
Detailed logging and monitoring are crucial to detect and investigate BITS-related attacks.
-
PowerShell and BitsAdmin are primary tools for creating, managing, and investigating BITS jobs.
-
Threat actors use BITS for persistence and payload delivery without triggering basic security alerts.
-
A multi-layered approach combining logs, execution artifacts, and behavioral analytics is key to combating BITS abuse.