Abusing BITS Jobs for Persistence

Introduction

BITS (Background Intelligent Transfer Service) is a Windows service that provides a low-bandwidth, asynchronous file transfer mechanism between machines. BITS is commonly used by updaters, messengers, and other applications that operate in the background, using available idle network bandwidth without interrupting other networked applications. BITS jobs are implemented as queues of one or more file operations, and each job can contain multiple files to be transferred. In this paper, we will discuss how threat actors can abuse BITS jobs to achieve persistence on compromised systems, the techniques they use, and the countermeasures that organizations can implement to mitigate this threat.

Abusing BITS Jobs for Persistence

BITS jobs can be abused by threat actors in a number of ways to achieve persistence on compromised systems. One common technique is to create a BITS job that downloads and executes malicious code. This code can be designed to connect back to a command and control server or to perform other malicious actions on the compromised system.

Another technique is to use BITS jobs to download and install additional malware or to perform various other background tasks. For example, a threat actor could create a BITS job to periodically check for new commands from a command and control server, or to download and install updates to the malware.

BITS jobs are particularly useful for achieving persistence because they can survive system reboots and remain active even if the user is not logged in. This makes them an attractive target for threat actors looking to maintain long-term access to a compromised system.

Techniques Used by Threat Actors

Threat actors use a variety of techniques to abuse BITS jobs and achieve persistence on compromised systems. Some of the most common techniques include:

1. Creating BITS jobs with malicious code: Threat actors can create BITS jobs that download and execute malicious code on the compromised system. This code can be designed to perform a range of malicious actions, including connecting back to a command and control server, exfiltrating data, or installing additional malware.
2. Creating BITS jobs to download and install additional malware: Threat actors can create BITS jobs that download and install additional malware onto the compromised system. This can include Trojans, ransomware, or other types of malware.
3. Creating BITS jobs to perform various background tasks: Threat actors can create BITS jobs to perform various background tasks, such as periodically checking for new commands from a command and control server or downloading and installing updates to the malware.

Countermeasures

There are several countermeasures that organizations can implement to mitigate the threat posed by abuse of BITS jobs. Some of these countermeasures include:

1. Monitoring for suspicious BITS activity: Organizations can monitor for suspicious BITS activity, such as unexpected network traffic or the creation of new BITS jobs. This can be done using tools like Microsoft’s Sysinternals suite or third-party endpoint detection and response (EDR) solutions.
2. Disabling BITS: If BITS is not needed for any legitimate business purpose, it can be disabled altogether. This will prevent threat actors from using it to execute malicious code or perform other background tasks.
3. Implementing network segmentation: Network segmentation can help prevent lateral movement by limiting the reach of any compromised system. This can be particularly effective in preventing the spread of malware that relies on BITS for persistence.
4. Limiting user privileges: Organizations can limit user privileges to prevent threat actors from creating and executing malicious BITS jobs. This can be done by implementing least privilege access policies and using endpoint security solutions to enforce them.

By taking these steps, organizations can reduce the risk of BITS job abuse and maintain the security of their systems.

It’s important to note that these countermeasures are not foolproof, and threat actors may still find ways to abuse BITS jobs for persistence. Therefore, it’s essential to have a comprehensive security strategy that includes not only technical controls but also user education and awareness programs.

Furthermore, organizations should stay up to date with the latest threat intelligence and best practices to ensure they are taking appropriate measures to protect their systems. This includes regularly reviewing and updating their security policies, conducting regular security assessments, and engaging in ongoing training and education for their IT staff and end-users.

Conclusion

BITS jobs provide a convenient and low-bandwidth way for legitimate applications to perform background file transfers. However, threat actors can abuse this service to achieve persistence on compromised systems. By creating BITS jobs that download and execute malicious code, install additional malware, or perform various background tasks, threat actors can maintain access to compromised systems for extended periods.

Organizations can take several countermeasures to mitigate the risk of BITS job abuse, including monitoring for suspicious activity, disabling BITS if not needed, implementing network segmentation, and limiting user privileges. However, it’s important to note that these countermeasures are not foolproof and should be supplemented by a comprehensive security strategy that includes user education and awareness programs, ongoing training and education for IT staff, and regular security assessments. By taking these steps, organizations can reduce the risk of BITS job abuse and maintain the security of their systems.

BITS jobs can be an effective tool for threat actors looking to achieve persistence on compromised systems. However, organizations can implement a range of countermeasures to mitigate this threat, including monitoring for suspicious BITS activity, disabling BITS if not needed, implementing network segmentation, and limiting user privileges.