Monitoring BITSAdmin Misuse – Security Spotlight

The “Security Spotlight” blog series provides insight into emerging cyberthreats and shares tips for how you can leverage LogRhythm’s security tools, services, and out-of-the-box content to defend against attacks.

In this Security Spotlight, we’ll be talking about BITS, and how it can be used by adversaries to launch attacks (MITRE Technique T1197).

What is BITS?

Background Intelligence Transfer Service (BITS) was first introduced by Microsoft alongside Windows XP. Its purpose is to simplify the downloading and uploading of large files by scheduling data transfers in a way that ensures minimal disruption to the end user experience.

BITS Jobs, created when applications interact with BITS, contain files to be downloaded or uploaded. The service then acts as a host process, scheduling these transfers with convenience in mind. Unfortunately, like many processes operating within your operating system, BITS can be exploited by malicious actors just as much as legitimate applications. This qualifies as a Living Off the Land attack.

Living Off the Land attacks using BITS job

Similar to other Living Off the Land attacks, attackers aim to camouflage themselves by leveraging a pre-existing process. These attackers will use malicious application to create a BITS Job that will start downloading or uploading files within the context of the service host process. As a result, your firewall system may not be able to register the process as malicious or unknown. Pinpointing the precise application responsible for triggering the request then becomes a challenge.

To further complicate monitoring, the asynchronous nature of these transfers makes it so that the malicious application triggering the download may not even be running when the transfer is actually occurring. Due to BITS’ unique way of referencing the triggering application by using a database rather than typical registry key locations, it often can be completely overlooked during monitoring or investigative efforts.

Furthermore, although BITS has been a feature ever since Windows XP, attackers have become increasingly more adept at using it as they’ve come to understand the ramifications of its ability to extend dwell time.

Mandiant, in 2020, reported a specific attack scenario involving Ryuk ransomware, which utilized this exact attack vector to establish the initial backdoor for the attack chain.

How can LogRhythm help?

To counteract this, the Analytic Co-Pilot team have created rules that are rooted in the RedCanary Atomic framework and give organizations the ability to monitor for manual activities typically present when a malicious actor is leveraging BITS.

More precisely, the framework provides for three scenarios: initiating a download via command line, PowerShell, as well as a more complex scenario where the adversary schedules a BITS transfer and then executes a payload following that transfer initiation.

Initially, LogRhythm advises against setting these rules to trigger alerts within your platform, as it is likely that you will need business specific exclusions applied based on your legitimate usage of BITS. Hence, implementing these rules in event-only mode instead will give you the ability to quickly and easily investigate this kind of activity as a scheduled task within the Security Operations Center itself.

For more information on how to enable these rules within your LogRhythm deployment, check out our community page to read more, download, and then import the rule into your platform.

For other Security Spotlight episodes, you can access the full playlist here.