Persistence via BITS Job Notify Cmdline

hello@craftedsignal.io — Fri, 26 Jan 2024 10:00:00 +0000

The Background Intelligent Transfer Service (BITS) is a Windows service used for asynchronous, prioritized, and throttled file transfers. Attackers can abuse BITS to establish persistence by using the SetNotifyCmdLine method to execute a program after a BITS job completes or enters a specific state. This technique allows adversaries to run arbitrary code with elevated privileges, bypassing traditional security measures. The detection rule identifies suspicious processes initiated by BITS, excluding known legitimate executables like WerFaultSecure.exe, WerFault.exe, wermgr.exe, and directxdatabaseupdater.exe. This behavior can be employed to maintain access to a compromised system, even after a reboot or user logout. Defenders need to monitor BITS activity for unusual command-line executions to detect and prevent potential persistence attempts.

Attack Chain

An attacker gains initial access to a system through other means (e.g., phishing, exploitation of a vulnerability).
The attacker uses the BITSAdmin tool or PowerShell cmdlets to create a new BITS job.
The attacker configures the BITS job to download a malicious payload or execute a malicious script.
The attacker utilizes the SetNotifyCmdLine method to set a command that will be executed upon job completion or a specified state change.
The BITS service executes the specified command, which can be a script interpreter (e.g., powershell.exe, cmd.exe) or a malicious executable.
The malicious command downloads or executes further payloads, establishing persistence on the system.
The attacker maintains persistent access, allowing them to execute commands, steal data, or perform other malicious activities.

Impact

Successful exploitation allows attackers to maintain persistent access to compromised systems. This can lead to data theft, further malware deployment, or complete system compromise. The BITS service runs with elevated privileges, so any command executed via SetNotifyCmdLine will also run with those privileges. This persistence mechanism is difficult to detect because BITS is a legitimate Windows service, and its activity can be easily masked as normal system operations.

Recommendation

Monitor process creation events for processes spawned by svchost.exe with arguments containing “BITS” but not in the exclusion list (WerFaultSecure.exe, WerFault.exe, wermgr.exe, directxdatabaseupdater.exe) using the “Persistence via BITS Job Notify Cmdline” rule.
Implement the Sigma rule “Detect Suspicious BITS Job Creation” to identify unusual BITS job creation activities.
Review BITS job configurations on systems to identify and remove any unauthorized or suspicious jobs.
Enable Sysmon process creation logging to capture detailed information about process execution, including parent-child relationships and command-line arguments.

Ingress Transfer via Windows BITS

hello@craftedsignal.io — Wed, 03 Jan 2024 12:00:00 +0000

The Windows Background Intelligent Transfer Service (BITS) is a legitimate Windows service that allows for prioritized, asynchronous, and throttled transfer of files between a client and a server. Adversaries abuse BITS to download malicious payloads while evading typical security protections, as file transfers occur in the context of the svchost.exe process. This activity can obscure the origin of the download and bypass application whitelisting rules. This detection focuses on identifying file rename events where svchost.exe renames temporary BITS files (BIT*.tmp) to executable or archive file types, indicating a potential malicious download via BITS. This technique is commonly employed to deliver malware, exfiltrate data, or download additional tools.

Attack Chain

An attacker gains initial access to a system (e.g., through phishing or exploiting a vulnerability).
The attacker uses a script or command-line interface (e.g., PowerShell) to create a BITS job.
The BITS job is configured to download a malicious executable or archive from a remote server using the bitsadmin.exe utility.
BITS downloads the file to a temporary location on the system with a BIT*.tmp extension.
The svchost.exe process renames the temporary file to its final name and extension (e.g., .exe, .zip).
The attacker executes the downloaded file, initiating further malicious activities.
The malware establishes persistence through registry keys or scheduled tasks.
The malware communicates with a command and control (C2) server to receive instructions and exfiltrate data.

Impact

Successful exploitation enables attackers to download and execute arbitrary code on compromised systems. The use of BITS can bypass traditional security measures, leading to malware infections, data theft, and potentially full system compromise. This technique can be used in conjunction with other attack vectors to establish a persistent foothold within the network. While the rule itself triggers at low severity, the identified activity can be an early warning of more severe attack stages.

Recommendation

Deploy the “Ingress Transfer via Windows BITS” Sigma rule to your SIEM and tune for your environment.
Enable Sysmon file creation and process creation logging to enhance visibility into BITS-related activities.
Monitor network connections initiated by svchost.exe to identify potentially malicious downloads.
Investigate any instances of bitsadmin.exe being executed, especially with command-line arguments indicative of suspicious downloads.
Review Microsoft-Windows-Bits-Client/Operational Windows logs (event ID 59) for unusual BITS events.
Block known malicious domains or IP addresses associated with BITS-related attacks at the firewall or DNS resolver.

Bits — CraftedSignal Threat Feed

Persistence via BITS Job Notify Cmdline

Attack Chain

Impact

Recommendation

Ingress Transfer via Windows BITS

Attack Chain

Impact

Recommendation