BITS Job Notify Command Persistence
Adversaries can abuse the Background Intelligent Transfer Service (BITS) SetNotifyCmdLine method to execute arbitrary commands for persistence by configuring a BITS job to execute a program after a transfer completes or enters a specific state.
The Background Intelligent Transfer Service (BITS) is a Windows service used for asynchronous, prioritized, and throttled file transfers. Attackers can abuse BITS to achieve persistence by using the SetNotifyCmdLine method to execute a program after a job completes or enters a specified state. This involves creating a BITS job and configuring a notification command line that runs when the job finishes transferring data or reaches a specific state. This technique allows adversaries to execute arbitrary commands or payloads, maintaining persistence on the compromised system. The targeted systems are Windows-based, and the impact can range from malware execution to establishing a persistent backdoor.
Attack Chain
- An attacker gains initial access to a Windows system through various means (e.g., phishing, exploiting a vulnerability).
- The attacker creates a new BITS job using the
bitsadmincommand-line tool or the BITS COM API. - The attacker configures the BITS job to transfer a small, benign file (e.g., a text file from a web server) to trigger the job completion event.
- The attacker uses the
SetNotifyCmdLinemethod (viabitsadminor the COM API) to specify a malicious command or executable to run upon job completion or a state change. For example,bitsadmin /SetNotifyCmdLine <job_id> cmd.exe /c powershell.exe -exec bypass -f C:\temp\evil.ps1. - The attacker starts the BITS job, initiating the file transfer.
- Once the file transfer completes, the BITS service executes the configured malicious command via
svchost.exe. - The malicious command executes a PowerShell script or other payload, achieving persistence or other malicious objectives.
- The attacker maintains persistent access to the system, even after reboots or user logoffs, as the BITS job remains configured to execute the malicious command.
Impact
Successful exploitation allows attackers to establish persistence on the compromised Windows system. This can lead to a variety of malicious activities, including unauthorized access to sensitive data, deployment of ransomware, or use of the system as part of a botnet. The impact can vary depending on the payload executed by the BITS job. While the number of victims is not specified, this technique can affect any Windows system where the attacker has sufficient privileges to create and configure BITS jobs.
Recommendation
- Monitor process creation events for processes spawned by
svchost.exewith arguments containing "BITS" and a command-line indicative of malicious activity. Deploy the Sigma rule "Persistence via BITS Job Notify Cmdline" and tune exclusions for legitimate software. - Inspect the command line arguments of processes spawned by
svchost.exefor unusual commands, scripts, or payloads that might indicate malicious use of BITS, as outlined in the investigation guide. - Regularly review and audit existing BITS jobs on systems to identify and remove any unauthorized or suspicious jobs.
- Implement endpoint protection policies to prevent unauthorized use of BITS for persistence, ensuring that only trusted applications can create or modify BITS jobs.
- Enable Sysmon process creation logging to capture detailed information about process execution, including parent-child relationships and command-line arguments, enabling the detection of malicious BITS activity.
Detection coverage 2
Suspicious Process Created by BITS Service
mediumDetects suspicious processes spawned by svchost.exe with BITS arguments, excluding known legitimate executables.
BITSAdmin SetNotifyCmdLine Usage
lowDetects the use of bitsadmin to set a notification command line, potentially for malicious persistence.
Detection queries are available on the platform. Get full rules →