Abusing BITS Jobs (Persistence & Defence Evasion)
Summary
TLDRThis video explores the abuse of the Background Intelligent Transfer Service (BITS), a Windows component used for file transfers, including software updates. The tutorial highlights how attackers can exploit BITS for downloading malware, executing malicious code, and maintaining persistence on compromised systems. It also covers methods for detecting and defending against such abuses, including monitoring tools, network traffic analysis, and system configurations. The video offers practical advice on securing BITS through group policies, blocking certain protocols, and applying TLS breakouts, while emphasizing the importance of balancing security and functionality.
Takeaways
- π BITS (Background Intelligent Transfer Service) is a Windows component designed for file transfers using unused bandwidth, commonly used for downloading software updates.
- π BITS jobs include a list of files to be transferred, metadata like retry rules, and commands to execute after the transfer is completed.
- π BITS jobs are initially suspended until fully configured, and are only executed once there is enough bandwidth to transfer the files.
- π Attackers can abuse BITS to download and execute malicious files by creating new jobs using tools like `bitsadmin` or PowerShell.
- π Once a malicious file is transferred, it is initially stored as a temporary file and only becomes visible after the attacker completes the job using the `/complete` flag.
- π BITS jobs can also be used for persistence, as jobs can be reactivated whenever the user logs back in or if the attacker manipulates the job to cause periodic execution failures.
- π Attackers can use BITS to upload files with the `/upload` flag, providing a method for exfiltrating data from a compromised system.
- π On Windows 7 and older systems, BITS jobs can be used to maintain persistence even without completing the job, ensuring the payload gets executed on every login.
- π BITS job creation does not require special permissions, meaning a non-privileged user can initiate and abuse BITS jobs for malicious purposes.
- π To detect BITS abuse, administrators can monitor active jobs using `bitsadmin` or PowerShell, and review completed or canceled jobs through Windows Event Viewer, where job-related logs are recorded.
Q & A
What is BITS and what is its primary purpose in Windows?
-BITS (Background Intelligent Transfer Service) is a component of Windows that facilitates file transfers using unused bandwidth. Its primary purpose is to download software updates without consuming too much bandwidth or slowing down the system.
How does BITS handle the transfer of files and jobs?
-BITS transfers files in jobs, which consist of a list of files to be downloaded over HTTP or SMB. Once a job is fully configured and activated, it enters the transfer queue and proceeds when enough bandwidth is available. Once completed, the job must be acknowledged before it is removed from the queue.
Can BITS be used for malicious purposes, and if so, how?
-Yes, BITS can be exploited by attackers to download and execute malicious code. Attackers can create a new BITS job to transfer malware and trigger its execution once the transfer is complete. This allows them to install malware without detection.
How does BITS enable persistence on compromised systems?
-BITS can be used to establish persistence on a system by creating jobs that re-run whenever a user logs in. On versions of Windows prior to Windows 10, if the job isn't completed, it remains active and re-triggers the malicious payload each time the user logs in.
What is the significance of the 'complete' flag in BITS jobs?
-The 'complete' flag is used to finalize a BITS job, which makes the transferred file visible in the destination folder and removes the job from the BITS queue. Without using this flag, the file remains hidden as a temporary file.
How can attackers use BITS to upload files from a compromised system?
-Attackers can use the 'transfer' option in BITS, with the 'upload' flag, to upload files from a compromised system to a remote server. This provides a means of exfiltrating sensitive data.
What challenges exist in detecting BITS abuse from a network perspective?
-From a network perspective, detecting BITS abuse is challenging because BITS transfers use HTTP or SMB, and it may not be easy to distinguish whether the transfers were initiated by BITS or another mechanism. Additionally, if the traffic is encrypted via HTTPS, it becomes even harder to detect without proper TLS breakout and content filtering.
What logging options are available to detect BITS job activities?
-BITS job activities can be logged in the Windows Event Viewer under 'Applications and Services' > 'Microsoft' > 'Windows' > 'BITS Client.' Event logs capture information like the creation of jobs, the files being transferred, and job completion, though it does not indicate if a command was triggered upon transfer completion.
What are some defensive measures to protect against BITS abuse?
-Defensive measures include monitoring network traffic for BITS-related HTTP or SMB connections, implementing TLS breakout and content filtering for HTTPS traffic, and using Group Policy to configure BITS settings such as limiting job inactivity timeouts or restricting the number of jobs a user can create.
What are the potential consequences of blocking BITS entirely?
-Blocking BITS entirely could interfere with the system's ability to download important software updates, including security updates. As BITS is used by Windows for many automated background tasks, blocking it might cause system instability or prevent necessary updates from being applied.
Outlines
This section is available to paid users only. Please upgrade to access this part.
Upgrade NowMindmap
This section is available to paid users only. Please upgrade to access this part.
Upgrade NowKeywords
This section is available to paid users only. Please upgrade to access this part.
Upgrade NowHighlights
This section is available to paid users only. Please upgrade to access this part.
Upgrade NowTranscripts
This section is available to paid users only. Please upgrade to access this part.
Upgrade NowBrowse More Related Video
top 10 windows commands hackers use to wreak HAVOC
What is Web Security? | Purpose of Web security | Web Security Threats and Approaches
Wireshark - Malware traffic Analysis
Can a virus spread from the virtual machine to host machine?
Computer Security | Types of Computer Security | Cybersecurity Course | Edureka
How to Check if your PC is Hacked
5.0 / 5 (0 votes)
