T1197: BITS Jobs

Adversaries may abuse BITS jobs persistently execute or clean up after malicious payloads. Windows Background Intelligent Transfer Service (BITS) is a low-bandwidth, asynchronous file transfer mechanism exposed through Component Object Model (COM). BITS is commonly used by updates, messengers, and other applications preferred to operate in the background (using available idle bandwidth) without interrupting other networked applications. File transfer tasks are implemented as BITS jobs, which contain a queue of one or more file operations.

The interface to create and manage BITS jobs is accessible through PowerShell and the BITSAdmin tool.

Adversaries may abuse BITS to download, execute and even clean up after running malicious code. BITS tasks are self-contained in the BITS job database, without new files or registry modifications, and often permitted by host firewalls. BITS enabled execution may also enable persistence by creating long-standing jobs (the default maximum lifetime is 90 days and extendable) or invoking an arbitrary program when a job completes or errors (including after system reboots).

BITS upload functionalities can also be used to perform Exfiltration Over Alternative Protocol.

In the following example I will create a simple bitsadmin job with user Privileges this will start a calc process to execute.

First we use the /create option to create our job

We will attach a file as well:

A file needs to be created for the job to function properly.

Then we will use the SetNotifyCmdLine Parameter this will set a program to execute for notification, and can optionally take parameters. These options can also be NULL.

Too much of an extra step but we will call cmd to start a calc process on our job

Demo:

References:

LOLBAS

PreviousEnvironmental Keyring NextT1134: Access Token Manipulation

Last updated 3 years ago