The following query identifies Microsoft Background Intelligent Transfer Service utility bitsadmin.exe using the transfer parameter to download a remote object. In addition, look for download or upload on the command-line, the switches are not required to perform a transfer. Capture any files downloaded. Review the reputation of the IP or domain used. Typically once executed, a follow on command will be used to execute the dropped file. Note that the network connection or file modification events related will not spawn or create from bitsadmin.exe, but the artifacts will appear in a parallel process of svchost.exe with a command-line similar to svchost.exe -k netsvcs -s BITS. It's important to review all parallel and child processes to capture any behaviors and artifacts. In some suspicious and malicious instances, BITS jobs will be created. You can use bitsadmin /list /verbose to list out the jobs during investigation.
One way to do this is to execute the bitsadmin client from a cmd.exe session with elevated privileges by typing: bitsadmin /list /allusers /verbose. Hello dear stackoverflow community, in my recent project I tried to download a file with the bitsadmin batch function which looked like this: call bitsadmin /transfer NETFX /download /priority no.
ATT&CK Detection
| Technique | Subtechnique(s) | Tactic(s) | Level of Coverage |
|---|---|---|---|
| BITS Jobs | N/A | Defense Evasion, Persistence | Moderate |
| Ingress Tool Transfer | N/A | Command and Control | Moderate |
Data Model References
| Object | Action | Field |
|---|---|---|
| process | create | exe |
| process | create | command_line |
Applicable Sensors
Implementations
Pseudocode – detect BITS transfer jobs (Pseudocode, CAR native)
Pseudocode implementation of the Splunk search below Gladiator soundtrack rar.
Splunk code (Splunk, Endpoint)
Microsoft office 2013. To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the Endpoint datamodel in the Processes node.
Unit Tests
Test Case 1
Configurations: Using Splunk Attack Range
Bitsadmin.exe /reset /allusers
Replay the detection dataset using the Splunk attack range with the commands below
Test Case 2
Configurations: Using Invoke-AtomicRedTeam
execute the atomic test T1197 against a Windows target.
Windows 7 / Getting StartedPrevious versions of Windows provided command-line management of BITS using theBITSAdmin.exe tool. In Windows 7, BITSAdmin.exe is deprecated. Instead, you should use theWindows PowerShell cmdlets.
Within Windows PowerShell, begin by running the following command.
Import-Module BitsTransferAfter you import the BitsTransfer module, the following cmdlets are available:
- Add-BitsFile Adds files to a BITS transfer
- Complete-BitsTransfer Completes a BITS transfer
- Get-BitsTransfer Gets a BITS transfer
- Remove-BitsTransfer Stops a BITS transfer
- Resume-BitsTransfer Resumes a suspended BITS transfer
- Set-BitsTransfer Configures a BITS transfer job
- Start-BitsTransfer Creates and starts a BITS transfer job
- Suspend-BitsTransfer Pauses a BITS transfer job
For example, the following Windows PowerShell command begins a BITS transfer from thelocal computer to a computer named CLIENT.
Bitsadmin Example
Start-BitsTransfer -Source file.txt -Destination clientshare -Priority normalBitsadmin.exe
When running Windows PowerShell interactively, the PowerShell window displays theprogress of the transfer. The following command uses an abbreviated notation to download afile from a Web site to the local computer.
Start-BitsTransfer http://server/dir/myfile.txt C:docsmyfile.txtFor detailed information, run the following command within Windows PowerShell.
Help About_BITS_CmdletsIn this tutorial:
