BITS JOBS (T1197) v2

These steps are a basic level of remediation for Windows, OSX, Linux, AWS, GCP, and Azure. As tool change, remediation advice changes. This entry maps to the MITRE code referenced in the entry. Please check back regularly for updates to this library entry.

Background on BITS Exploitation

Background Information Services (BITS), a component of Microsoft Windows, has become an increasingly popular tool for cybercriminals and advanced persistent threat (APT) groups. Originally designed to manage file transfers and facilitate Windows updates, BITS has been repurposed by malicious actors due to its ability to operate stealthily and with system-level privileges. This abuse of a legitimate Windows feature exemplifies the "living off the land" technique, where attackers use built-in system tools to evade detection.

Timeline and Notable Incidents

Between 2015 and 2017, two significant threat groups, GCMAN and Carbanak (FIN7), demonstrated the effectiveness of BITS exploitation. GCMAN, a Russian-speaking threat actor, targeted financial institutions using BITS jobs for stealthy persistence. Concurrently, Carbanak (FIN7) expanded its reach to the retail and hospitality sectors, leveraging BITS jobs to maintain a foothold in compromised networks and facilitate the recreation of these networks when needed. Both groups showcased the power of scheduling BITS jobs to execute malicious commands and scripts that seamlessly blended with legitimate Windows operations.

In 2019, the landscape of BITS exploitation evolved with the emergence of APT32 (OceanLotus), a threat actor associated with the Vietnamese government. APT32 employed BITS in a sophisticated campaign, exploiting its capabilities to download and execute malicious payloads while bypassing traditional security mechanisms. This incident highlighted the flexibility and low detection footprint of BITS jobs in maintaining a persistent presence within compromised systems.

The following year, 2020, saw TA505, a financially-motivated cybercrime group known for large-scale operations, incorporate BITS into their arsenal for targeted attacks. TA505 utilized BITS jobs to maintain low-profile persistence, downloading additional payloads after the initial compromise. This tactic underscored the ongoing challenge of detecting "living off the land" techniques that effectively camouflage within normal Windows services.

Key Threat Actors and Their Techniques

Other notable threat actors suspected of leveraging BITS include APT29 (Cozy Bear) and the Sandworm Team. APT29, linked to Russian intelligence services, is believed to have used BITS jobs in high-profile espionage campaigns, exploiting built-in OS features to evade detection. The Sandworm Team, associated with Russian military intelligence, has been known to exploit BITSAdmin in past attacks, further demonstrating the widespread adoption of this technique among sophisticated threat actors.

Technical Insights and Analysis

From a technical standpoint, attackers often prefer using PowerShell scripts (e.g., New-BitsTransfer) over BITSAdmin for more comprehensive scripting capabilities. This approach allows for greater flexibility and control in managing BITS jobs. A common persistence mechanism involves creating persistent jobs scheduled to run periodically, ensuring sustained control over compromised systems.

One of the key reasons BITS is favored by attackers is its ability to evade defenses. Operating under the SYSTEM account, BITS carries high privileges and its network traffic blends seamlessly with legitimate Windows operations, making detection challenging for traditional security solutions.

Detection and Mitigation Strategies

To combat BITS exploitation, organizations should implement a multi-layered approach to detection and mitigation. This includes:

1. Monitoring BITS job creation, with alerts set up for new jobs created by unknown or suspicious processes.

2. Regular surveillance of BITS admin tools like bitsadmin.exe and extensive BITS-related PowerShell activities.

3. Deployment of advanced Endpoint Detection and Response (EDR) solutions capable of detecting and correlating unusual BITS job activities.

4. Implementing strict application whitelisting policies to control which processes can create BITS jobs.

5. Regular security awareness training for staff to recognize potential indicators of compromise related to BITS abuse.

Remediation: On-Prem

Disable BITS Service:

• Open the Run dialog (`Win + R`), type `services.msc`, and press Enter.

• Locate and right-click Background Intelligent Transfer Service (BITS).

• Select Properties, set Startup type to Disabled, and click Stop if running.

• Click Apply and OK.

Group Policy Configuration:

1. Open Group Policy Management Console (`gpmc.msc`).

2. Navigate to Computer Configuration -> Administrative Templates -> Network -> Background Intelligent Transfer Service (BITS).

3. Enable policies to restrict job types and limit BITS transfers.

Monitor and Audit BITS Jobs:

      Get-BitsTransfer -AllUsers
    

Review job statuses for suspicious activity.

BITS is not a native Mac service. But general security hygiene may apply.

Inspect Launch Agents and Daemons:

• ls /Library/LaunchAgents

• ls /Library/LaunchDaemons

• ls ~/Library/LaunchAgents

Remove unauthorized items:

• sudo rm /path/to/suspicious.plist

• Monitor Network Traffic:

  Use Activity Monitor or tools like Little Snitch to track and set rules for network connections.

BITS is not a native Linux service. But general security hygiene may apply.

Audit cron Jobs and Systemd Timers:

      crontab -l
      sudo crontab -l
      ls /etc/cron.d
      systemctl list-timers --all
    

Remove unauthorized items:

      crontab -r
      sudo rm /etc/cron.d/suspicious_job
      sudo systemctl disable suspicious_timer
    

Monitor Network Connections:

      netstat -tulnp
      ss -tulnp

Remediation: Cloud

Review IAM Policies and Roles:

Use IAM service in AWS Management Console to review and restrict policies.

Enable AWS CloudTrail:

Ensure CloudTrail is enabled in all regions. Create CloudWatch Alarms for BITS job activities.

Manage IAM Roles and Permissions:

Audit roles/permissions in the GCP Console and enforce minimal permissions.

Activate Cloud Audit Logs:

Ensure Cloud Audit Logs log admin/data access activities. Set up monitoring and alerts for suspicious actions.

Review Azure AD Roles and Permissions:

Check roles in Azure Active Directory, ensuring least privilege. Remove/modify overly permissive roles.

Enable Azure Security Center and Azure Monitor:

Configure Azure Security Center for recommendations and use Azure Monitor to set up alerts for suspicious activities.