Persistent Threats: Abusing BITS Jobs and Modifying LSASS Drivers

Introduction

Adversaries constantly evolve their tactics, techniques, and procedures (TTPs) to evade detection and maintain access to compromised systems. Two common persistence techniques used by threat actors are abusing Background Intelligent Transfer Service (BITS) jobs and modifying Local Security Authority Subsystem Service (LSASS) drivers. This white paper will discuss these techniques, how threat actors use them, and countermeasures organizations can take to mitigate the risk of persistent threats.

BITS Jobs and Persistence

BITS is a low-bandwidth, asynchronous file transfer mechanism exposed through Component Object Model (COM). It is commonly used by updaters, messengers, and other applications that operate in the background without interrupting other networked applications. File transfer tasks are implemented as BITS jobs, which contain a queue of one or more file operations. However, threat actors can abuse BITS jobs to achieve persistence on compromised systems.

By creating BITS jobs that download and execute malicious code, install additional malware, or perform various background tasks, threat actors can maintain access to compromised systems for extended periods. BITS jobs are resilient to system reboots, and their low-bandwidth nature makes them difficult to detect.

Countermeasures for BITS Job Abuse

Organizations can take several countermeasures to mitigate the risk of BITS job abuse. One approach is to monitor for suspicious BITS job activity, including the creation, modification, or execution of BITS jobs. Additionally, organizations can disable BITS if it is not needed for business operations. Network segmentation and limiting user privileges can also help mitigate the risk of BITS job abuse.

LSASS Drivers and Persistence

The LSASS is the main component responsible for local security policy and user authentication. It includes multiple dynamic link libraries (DLLs) associated with various other security functions, all of which run in the context of the LSASS lsass.exe process. Threat actors can modify or add LSASS drivers to obtain persistence on compromised systems.

By modifying or adding LSASS drivers, threat actors can bypass security controls and gain elevated privileges, enabling them to execute malicious code, steal credentials, or perform other nefarious activities. LSASS driver modifications are difficult to detect, as they can be concealed within legitimate system files or use rootkit-like techniques.

Countermeasures for LSASS Driver Modifications

Organizations can take several countermeasures to mitigate the risk of LSASS driver modifications. One approach is to monitor for suspicious driver activity, including the creation or modification of drivers associated with the LSASS process. Additionally, organizations can implement application whitelisting and use digital signatures to verify the integrity of system files.

Organizations should also ensure they have up-to-date antivirus software, which can detect and block malicious LSASS drivers. Regular security assessments can help identify vulnerabilities and potential attack vectors, allowing organizations to proactively address them before they are exploited.

Conclusion

BITS jobs and LSASS driver modifications are two common techniques used by threat actors to achieve persistence on compromised systems. By creating BITS jobs that download and execute malicious code or modifying LSASS drivers, threat actors can maintain access to compromised systems for extended periods, bypass security controls, and gain elevated privileges. However, organizations can take several countermeasures to mitigate the risk of persistent threats, including monitoring for suspicious activity, disabling BITS if not needed, implementing network segmentation, limiting user privileges, and using antivirus software and digital signatures to verify the integrity of system files. By taking these steps, organizations can reduce the risk of persistent threats and maintain the security of their systems.