{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/bits/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Defender XDR","Elastic Defend","SentinelOne Cloud Funnel"],"_cs_severities":["medium"],"_cs_tags":["persistence","bits","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Elastic"],"content_html":"\u003cp\u003eThe Background Intelligent Transfer Service (BITS) is a Windows service used for asynchronous, prioritized, and throttled file transfers. Attackers can abuse BITS to establish persistence by using the \u003ccode\u003eSetNotifyCmdLine\u003c/code\u003e method to execute a program after a BITS job completes or enters a specific state. This technique allows adversaries to run arbitrary code with elevated privileges, bypassing traditional security measures. The detection rule identifies suspicious processes initiated by BITS, excluding known legitimate executables like \u003ccode\u003eWerFaultSecure.exe\u003c/code\u003e, \u003ccode\u003eWerFault.exe\u003c/code\u003e, \u003ccode\u003ewermgr.exe\u003c/code\u003e, and \u003ccode\u003edirectxdatabaseupdater.exe\u003c/code\u003e. This behavior can be employed to maintain access to a compromised system, even after a reboot or user logout. Defenders need to monitor BITS activity for unusual command-line executions to detect and prevent potential persistence attempts.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a system through other means (e.g., phishing, exploitation of a vulnerability).\u003c/li\u003e\n\u003cli\u003eThe attacker uses the BITSAdmin tool or PowerShell cmdlets to create a new BITS job.\u003c/li\u003e\n\u003cli\u003eThe attacker configures the BITS job to download a malicious payload or execute a malicious script.\u003c/li\u003e\n\u003cli\u003eThe attacker utilizes the \u003ccode\u003eSetNotifyCmdLine\u003c/code\u003e method to set a command that will be executed upon job completion or a specified state change.\u003c/li\u003e\n\u003cli\u003eThe BITS service executes the specified command, which can be a script interpreter (e.g., \u003ccode\u003epowershell.exe\u003c/code\u003e, \u003ccode\u003ecmd.exe\u003c/code\u003e) or a malicious executable.\u003c/li\u003e\n\u003cli\u003eThe malicious command downloads or executes further payloads, establishing persistence on the system.\u003c/li\u003e\n\u003cli\u003eThe attacker maintains persistent access, allowing them to execute commands, steal data, or perform other malicious activities.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to maintain persistent access to compromised systems. This can lead to data theft, further malware deployment, or complete system compromise. The BITS service runs with elevated privileges, so any command executed via \u003ccode\u003eSetNotifyCmdLine\u003c/code\u003e will also run with those privileges. This persistence mechanism is difficult to detect because BITS is a legitimate Windows service, and its activity can be easily masked as normal system operations.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor process creation events for processes spawned by \u003ccode\u003esvchost.exe\u003c/code\u003e with arguments containing \u0026ldquo;BITS\u0026rdquo; but not in the exclusion list (WerFaultSecure.exe, WerFault.exe, wermgr.exe, directxdatabaseupdater.exe) using the \u0026ldquo;Persistence via BITS Job Notify Cmdline\u0026rdquo; rule.\u003c/li\u003e\n\u003cli\u003eImplement the Sigma rule \u0026ldquo;Detect Suspicious BITS Job Creation\u0026rdquo; to identify unusual BITS job creation activities.\u003c/li\u003e\n\u003cli\u003eReview BITS job configurations on systems to identify and remove any unauthorized or suspicious jobs.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process creation logging to capture detailed information about process execution, including parent-child relationships and command-line arguments.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-26T10:00:00Z","date_published":"2024-01-26T10:00:00Z","id":"/briefs/2024-01-26-bits-persistence/","summary":"Adversaries can achieve persistence by abusing the Background Intelligent Transfer Service (BITS) SetNotifyCmdLine method to execute a program after a job finishes, leading to arbitrary code execution and system compromise.","title":"Persistence via BITS Job Notify Cmdline","url":"https://feed.craftedsignal.io/briefs/2024-01-26-bits-persistence/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Background Intelligent Transfer Service (BITS)","Adobe Reader","Docker Desktop"],"_cs_severities":["low"],"_cs_tags":["bits","ingress-transfer","command-and-control","defense-evasion","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Adobe","Docker"],"content_html":"\u003cp\u003eThe Windows Background Intelligent Transfer Service (BITS) is a legitimate Windows service that allows for prioritized, asynchronous, and throttled transfer of files between a client and a server. Adversaries abuse BITS to download malicious payloads while evading typical security protections, as file transfers occur in the context of the \u003ccode\u003esvchost.exe\u003c/code\u003e process. This activity can obscure the origin of the download and bypass application whitelisting rules. This detection focuses on identifying file rename events where \u003ccode\u003esvchost.exe\u003c/code\u003e renames temporary BITS files (BIT*.tmp) to executable or archive file types, indicating a potential malicious download via BITS. This technique is commonly employed to deliver malware, exfiltrate data, or download additional tools.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a system (e.g., through phishing or exploiting a vulnerability).\u003c/li\u003e\n\u003cli\u003eThe attacker uses a script or command-line interface (e.g., PowerShell) to create a BITS job.\u003c/li\u003e\n\u003cli\u003eThe BITS job is configured to download a malicious executable or archive from a remote server using the \u003ccode\u003ebitsadmin.exe\u003c/code\u003e utility.\u003c/li\u003e\n\u003cli\u003eBITS downloads the file to a temporary location on the system with a \u003ccode\u003eBIT*.tmp\u003c/code\u003e extension.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003esvchost.exe\u003c/code\u003e process renames the temporary file to its final name and extension (e.g., .exe, .zip).\u003c/li\u003e\n\u003cli\u003eThe attacker executes the downloaded file, initiating further malicious activities.\u003c/li\u003e\n\u003cli\u003eThe malware establishes persistence through registry keys or scheduled tasks.\u003c/li\u003e\n\u003cli\u003eThe malware communicates with a command and control (C2) server to receive instructions and exfiltrate data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation enables attackers to download and execute arbitrary code on compromised systems. The use of BITS can bypass traditional security measures, leading to malware infections, data theft, and potentially full system compromise. This technique can be used in conjunction with other attack vectors to establish a persistent foothold within the network. While the rule itself triggers at low severity, the identified activity can be an early warning of more severe attack stages.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the \u0026ldquo;Ingress Transfer via Windows BITS\u0026rdquo; Sigma rule to your SIEM and tune for your environment.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon file creation and process creation logging to enhance visibility into BITS-related activities.\u003c/li\u003e\n\u003cli\u003eMonitor network connections initiated by \u003ccode\u003esvchost.exe\u003c/code\u003e to identify potentially malicious downloads.\u003c/li\u003e\n\u003cli\u003eInvestigate any instances of \u003ccode\u003ebitsadmin.exe\u003c/code\u003e being executed, especially with command-line arguments indicative of suspicious downloads.\u003c/li\u003e\n\u003cli\u003eReview \u003ccode\u003eMicrosoft-Windows-Bits-Client/Operational\u003c/code\u003e Windows logs (event ID 59) for unusual BITS events.\u003c/li\u003e\n\u003cli\u003eBlock known malicious domains or IP addresses associated with BITS-related attacks at the firewall or DNS resolver.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-bits-ingress-transfer/","summary":"Adversaries may leverage Windows Background Intelligent Transfer Service (BITS) to download executable and archive files to evade defenses and establish command and control.","title":"Ingress Transfer via Windows BITS","url":"https://feed.craftedsignal.io/briefs/2024-01-bits-ingress-transfer/"}],"language":"en","title":"CraftedSignal Threat Feed — Bits","version":"https://jsonfeed.org/version/1.1"}