Skip to content
Threat Feed
medium advisory

Ingress Transfer via Windows BITS

Adversaries leverage the Windows Background Intelligent Transfer Service (BITS) to download executable and archive files, potentially delivering malicious payloads while evading traditional security measures.

Attackers may abuse the Windows Background Intelligent Transfer Service (BITS) to transfer malicious files to a compromised system. BITS is a legitimate Windows service used to transfer files asynchronously in the background, which makes it a useful tool for adversaries looking to download malware or exfiltrate data without attracting attention. This technique, known as "Ingress Tool Transfer" (T1105), can be used to deliver payloads such as executables, archives, or scripts. The detection focuses on file rename events involving svchost.exe (the generic host process for Windows services, including BITS) and temporary files with the BIT*.tmp naming convention. This activity is often associated with BITS transfers, allowing defenders to identify potentially malicious downloads. This technique allows attackers to use a trusted Windows process to perform malicious actions, bypassing some security controls and potentially blending in with legitimate system activity.

Attack Chain

  1. The attacker gains initial access to the system through an unrelated method (e.g., phishing, exploit).
  2. The attacker leverages the BITSAdmin tool or equivalent API calls to create a BITS job.
  3. The BITS job is configured to download a malicious payload from a remote server.
  4. The BITS service (svchost.exe) initiates a network connection to the attacker's server.
  5. The malicious payload is downloaded and saved as a temporary file with a BIT*.tmp extension.
  6. Upon completion of the download, the temporary file is renamed to its final intended name, often an executable or archive file.
  7. The attacker executes the downloaded payload, leading to further compromise of the system.
  8. The attacker achieves their final objective, such as establishing persistence, escalating privileges, or deploying ransomware.

Impact

Successful exploitation allows attackers to introduce malware or other malicious tools onto the targeted system. This can lead to a variety of negative consequences, including data theft, system compromise, and network disruption. The use of BITS can make detection more difficult, as the downloads are performed by a legitimate Windows service. The scope of impact varies depending on the specific payload delivered via BITS, but could include complete system takeover.

Recommendation

  • Deploy the Sigma rule "Detect Ingress Transfer via Windows BITS Renaming" to identify suspicious file rename events associated with BITS downloads based on the file.Ext.original.name : "BIT*.tmp" and process.name : "svchost.exe" artifacts.
  • Monitor network connections initiated by svchost.exe, specifically looking for connections to unusual or suspicious domains, as highlighted in the investigation guide section of the brief.
  • Enable Sysmon file creation and process creation logging to improve visibility into BITS activity and activate the Sigma rules.
  • Investigate any instances of bitsadmin.exe being executed, paying close attention to the command-line arguments, as mentioned in the triage and analysis section.
  • Consider using a tool like BitsParser to extract BITS job information from the BITS database files for deeper analysis, as referenced in the investigation guide.

Detection coverage 2

Detect Ingress Transfer via Windows BITS Renaming

medium

Detects the renaming of files downloaded via BITS, indicating a potential malware delivery.

sigma tactics: command_and_control techniques: T1105, T1197 sources: file_event, windows

Detect BITSAdmin Tool Execution

low

Detects the execution of BITSAdmin, a command-line tool used to manage BITS transfers.

sigma tactics: command_and_control techniques: T1197 sources: process_creation, windows

Detection queries are available on the platform. Get full rules →