Background Intelligent Transfer Service (BITS) is used by programmers and system administrators to download files from or upload files to HTTP web servers and SMB file shares.
BITS will take the cost of the transfer into consideration, as well as the network usage so that the user's foreground work has as little impact as possible. BITS also handles network interruptions, pausing and automatically resuming transfers, even after a reboot, which makes it a very good candidate for implant Command and Control standard tasks (download, upload and ex-filtration).
BITS includes PowerShell cmdlets for creating and managing transfers as well as the BitsAdmin command-line utility.
BITS is composed of a Client (i.e. bitsadmin, powershell) loading Bitsproxy.dll, qmgrprxy.dll or Microsoft.BackgroundIntelligentTransfer.Management.Interop.dll and a Server (svchost.exe with the process's command-line value contains the keyword "BITS" and hosting the service DLL qmgr.dll):
Figure 1 - BITS Client
Figure 2 - BITS Server
Communication between the BITS client and server is performed via RPC, and the IBackgroundCopyManager is the main BITS interface used to enumerate or create new BITS Jobs:
Figure 3 - OleView of the BITS service exposed interfaces
Figure 4 - BITS IBackgroundCopyManager Interface exposed Methods
From a behavior perspective all the download and upload activities are performed by the BITS server (svchost.exe) impersonating the BITS client which breaks the link between the client and the server if using standard monitoring telemetry such as Sysmon network and file creation events.
BITS can be also abused for persistence by setting a command to run every time a transfer job enters the BG_JOB_STATE_ERROR or BG_JOB_STATE_TRANSFERRED state using the IBackgroundCopyJob2::SetNotifyCmdLine method (i.e. bitsadmin.exe /SetNotifyCmdLine) which will result in a malicious program or command to be run persistently on a target system.
Detection and Hunting
From a detection and forensics perspective Windows provides good logging events for the BITS client activities via the Microsoft-Windows-Bits-Client provider (enabled by default), key events are:
- EventID 3 - BITS service created a new Job
- EventID 59 - BITS started the <jobname> transfer job that is associated with http://example.com URL.
- EventID 60 - BITS stopped transferring the <jobname> transfer job that is associated with the http://example.com URL. The status code is 0xxxx.
- EventID 4 - The transfer job is complete
- EventID 5 - Job cancelled.
- Other events that are related to performance and transfer errors
Below example of BITS events resulting from this malware sample (Remcos or Netwire RAT loader):
A) Unusual BITS Client:
By default on a Windows machine there are a limited number of BITS clients (native Windows binaries) and the majority are related to third party programs such as browsers. To baseline the clients we can use Bitsproxy.dll or qmgrprxy.dll ImageLoad events (such as Sysmon EventId 7) or BITS Client Event Logs EventId 3.
By default the following are the known normal BITS client with process path residing under c:\windows\ directory.
c:\Windows\System32\svchost.exe (BITS service)
Excluding the above we can hunt/detect for unusual client, below an example of a hunting EQL query:
B) Program Execution via BITS SetNotifyCmdline Persistence:
Programs set to execute via the SetNotifyCmdline method are a child of the BITS service, there are some legit instances especially signed stuff running from program files directories, but its quite rare:
C) Execution of a File Downloaded via BITS Service:
Last example is to hunt for executable content that is downloaded via BITS service and immediately executed, we can do that by correlating File rename event (old file name always follow this pattern BITXXXX.tmp and renamed to the target file name) by the BITS service followed by process execution by file.path/process.executable:
As you can see below we can link the file download activity to the process execution event:
Figure 14 - Hunt Results for Process Execution of a File Downloaded via BITS service
There other scenarios but that should give you an idea of the building blocks and how to play with them to spot unusual combinations.