Abusing BITS Jobs (Persistence & Defence Evasion)

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

[Music] hi there i'm andy and in this video we'll be exploring how to attack detect and defend against the abuse of bits jobs bits is the background intelligent transfer service a component of windows which is responsible for undertaking file transfers using unused bandwidth so as not to slow down a machine and is commonly used to download software updates although as we'll see later it can also be abused by attackers to download malware as well as triggering execution of malicious code each bits job primarily comprises of a list of files to download either over http or smb and where to save them on the local machine some additional metadata can be included such as how often to retry the job if it fails and the name of the command to run once the files have finished downloading when a bits job is created it's in a suspended state until it's been fully configured and activated at which point it joins the transfer queue once bits has sufficient lower bandwidth to proceed it tries to connect and transfer the files once the transfer is complete it must be acknowledged before the job is removed jobs will be suspended if the user which owns the job logs off and resumed again when they log back on jobs may also encounter temporary transient errors or permanent errors during connection or transfer it'll automatically retry the job in the case of transient errors but otherwise jobs may be cancelled by a user which results in the job being deleted bits is primarily intended to download software updates and as such is commonly granted free access by most host-based firewalls [Music] it's common for an attack to require the transfer of malicious code onto a compromised machine and of course attacks have abused bits jobs for this purpose new jobs can be configured either programmatically through calling the bits com classes or via powershell or via the bits admin tool in this example here an attacker has compromised a machine and wants to download some additional malicious code and in this recall the bits admin is required to create a new job a subsequent call adds a file to transfer the job can then be started with the resume flag the status of the job can be checked with slash list or monitored over a longer period with slash monitor note that despite the file has now finished transferring it doesn't appear in the destination folder just yet at this point it's still hidden and stored as a temporary file only once the attacker makes a final call to bits admin with the slash complete flag does the file appear at this point the job is removed from the bits queue an attacker could also use the transfer option like this which eliminates the need for running slash complete once the file transfer has finished the transfer option can additionally be used to upload files with the slash upload flag providing a means of exfiltrating files an alternative to the transfer option is to take advantage of the bits features which triggers a command to be executed once a file has finished transferring in this example the windows calculator is being launched but more complicated commands are possible here an attacker is using the command prompt to run multiple other commands in turn first run bits admin to complete the transfer then run the exe that's just been downloaded but bits isn't just of use to transfer malicious files onto a machine it can also provide a method of persistence on versions of windows prior to windows 10. on this windows 7 box an attacker is configuring a bits job in a similar way as we just saw to launch a payload once the file has finished transferring however if the bits admin slash complete command is not run then the job remains on the system and each time that user logs on the job gets reactivated triggering the payload to be executed once again whilst the behavior on windows 10 is slightly different and means that this method of persistence doesn't work it can still be configured to deliver event driven execution our attacker sets up a bits job in exactly the same way as before but this time the attacker's remote server is configured not to respond to any requests so when the job runs it returns an error windows will attempt to rerun this job on a periodic basis failing each time when an attacker wants to trigger the execution of their payload they just need to start accepting connections on the remote server the next time windows tries to run the bits job it succeeds and the payload code is run one final thing to note no special permissions are required to configure bits jobs all of the attack activities here were undertaken using a standard non-privileged user account although of course remember that bits jobs are only run when the user who owns them is currently logged onto the device [Music] we've already seen that bits jobs can be viewed with the bits admin list or slash monitor tool alternatively you can use the get bits transfer commandlet under powershell but both of these only show jobs which are currently active completed or cancelled jobs are logged to the windows event log and can be viewed from the event viewer under applications and services microsoft windows bits client note event number three which records the creation of a new bits job including the user who created it and events 59 and 60 list the remote file being transferred and event 4 records the completion of a job but nowhere in the logs does it contain any clue that this job was configured to run a command upon file transfer this machine has had cis internal system running in the background so we should be able to see the process launch event via its logging and here it is it was spawned by the servicehost.exe process which is responsible for a bunch of different window services although the parent command line clarifies that this is the service host exe which is running the bit service detective controls can be established at the network layer as bits uses http or smb as its transfer mechanism a security onion sensor on the same network as our victim has identified the use of the bits post http method associated with the file upload and records a number of connections associated with the rest of the transfers including the uris accessed although note that from a network traffic point of view we cannot distinguish whether the transfers were initiated by bits or some other mechanism and of course if any of these transfers used https then even less information would be available unless this network sensor was undertaken tls breakout [Music] whilst it is possible to disable the bit service or block its ability to communicate with a windows firewall rule this is undesirable given that the operating system and many other apps use bits as the mechanism for downloading software updates which of course includes security updates blocks could instead be put in place at the network perimeter of environments where patches are deployed by an internal server whilst outbound smb should always be blocked anyway blocking http is usually impractical for users who want to browse the web so a better option is to undertake tls breakouts and content filtering of http traffic to remove known threats and prohibit access to untrusted or known malicious locations and of course this control has the added benefit of protecting users web browsing traffic in addition to reducing abusive bits jobs the configuration of bits can be beefed up by group policy to reduce its potential abuse to some degree the job inactivity timeout is by default set to 90 days that means if there's no activity on a given job during that time then it gets deleted so if a bits job is being used as a method of persistence or event driven execution reducing this value can limit the window that is effective for another gpo option max jobs per user could be set on a per user basis to zero effectively disabling the ability for those users to create bits jobs whilst retaining its use for system updates however it should again be noted that this could interfere with the software update process for apps installed by users and not managed centrally but that about wraps up this video if you found it useful please do give it a like and consider subscribing if you want more of this sort of content drop a note in the comments if there's anything you think i've missed around attacking detecting and defending against the abuse of bits jobs or if you have a good idea of what topic i should cover next i'll see you next time

Info

Channel: Attack Detect Defend

Views: 3,461

Rating: undefined out of 5

Keywords:

Id: oPOj4cxZOIY

Channel Id: undefined

Length: 9min 9sec (549 seconds)

Published: Tue Dec 01 2020