Description
Adversaries may abuse BITS jobs to persistently execute code and perform various background tasks. Windows Background Intelligent Transfer Service (BITS) is a low-bandwidth, asynchronous file transfer mechanism exposed through Component Object Model (COM).(Citation: Microsoft COM)(Citation: Microsoft BITS) BITS is commonly used by updaters, messengers, and other applications preferred to operate in the background (using available idle bandwidth) without interrupting other networked applications. File transfer tasks are implemented as BITS jobs, which contain a queue of one or more file operations.
The interface to create and manage BITS jobs is accessible through PowerShell and the BITSAdmin tool.(Citation: Microsoft BITS)(Citation: Microsoft BITSAdmin)
Adversaries may abuse BITS to download (e.g. Ingress Tool Transfer), execute, and even clean up after running malicious code (e.g. Indicator Removal). BITS tasks are self-contained in the BITS job database, without new files or registry modifications, and often permitted by host firewalls.(Citation: CTU BITS Malware June 2016)(Citation: Mondok Windows PiggyBack BITS May 2007)(Citation: Symantec BITS May 2007) BITS enabled execution may also enable persistence by creating long-standing jobs (the default maximum lifetime is 90 days and extendable) or invoking an arbitrary program when a job completes or errors (including after system reboots).(Citation: PaloAlto UBoatRAT Nov 2017)(Citation: CTU BITS Malware June 2016)
BITS upload functionalities can also be used to perform Exfiltration Over Alternative Protocol.(Citation: CTU BITS Malware June 2016)
Platforms
Mitigations (3)
User Account ManagementM1018
Consider limiting access to the BITS interface to specific users or groups.(Citation: Symantec BITS May 2007)
Filter Network TrafficM1037
Modify network and/or host firewall rules, as well as other network controls, to only allow legitimate BITS traffic.
Operating System ConfigurationM1028
Consider reducing the default BITS job lifetime in Group Policy or by editing the JobInactivityTimeout and MaxDownloadTime Registry values in HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\BITS.(Citation: Microsoft BITS)
Threat Groups (5)
| ID | Group | Context |
|---|---|---|
| G0040 | Patchwork | [Patchwork](https://attack.mitre.org/groups/G0040) has used BITS jobs to download malicious payloads.(Citation: Unit 42 BackConfig May 2020) |
| G0065 | Leviathan | [Leviathan](https://attack.mitre.org/groups/G0065) has used [BITSAdmin](https://attack.mitre.org/software/S0190) to download additional tools.(Citatio... |
| G0087 | APT39 | [APT39](https://attack.mitre.org/groups/G0087) has used the BITS protocol to exfiltrate stolen data from a compromised host.(Citation: FBI FLASH APT39... |
| G0096 | APT41 | [APT41](https://attack.mitre.org/groups/G0096) used [BITSAdmin](https://attack.mitre.org/software/S0190) to download and install payloads.(Citation: F... |
| G0102 | Wizard Spider | [Wizard Spider](https://attack.mitre.org/groups/G0102) has used batch scripts that utilizes WMIC to execute a [BITSAdmin](https://attack.mitre.org/sof... |
Associated Software (8)
| ID | Name | Type | Context |
|---|---|---|---|
| S0652 | MarkiRAT | Malware | [MarkiRAT](https://attack.mitre.org/software/S0652) can use BITS Utility to connect with the C2 server.(Citation: Kaspersky Ferocious Kitten Jun 2021) |
| S0534 | Bazar | Malware | [Bazar](https://attack.mitre.org/software/S0534) has been downloaded via Windows BITS functionality.(Citation: NCC Group Team9 June 2020) |
| S0154 | Cobalt Strike | Malware | [Cobalt Strike](https://attack.mitre.org/software/S0154) can download a hosted "beacon" payload using [BITSAdmin](https://attack.mitre.org/software/S0... |
| S0554 | Egregor | Malware | [Egregor](https://attack.mitre.org/software/S0554) has used BITSadmin to download and execute malicious DLLs.(Citation: Intrinsec Egregor Nov 2020) |
| S0201 | JPIN | Malware | A [JPIN](https://attack.mitre.org/software/S0201) variant downloads the backdoor payload via the BITS service.(Citation: Microsoft PLATINUM April 2016... |
| S0333 | UBoatRAT | Malware | [UBoatRAT](https://attack.mitre.org/software/S0333) takes advantage of the /SetNotifyCmdLine option in [BITSAdmin](https://attack.mitre.org/software/S... |
| S0654 | ProLock | Malware | [ProLock](https://attack.mitre.org/software/S0654) can use BITS jobs to download its malicious payload.(Citation: Group IB Ransomware September 2020) |
| S0190 | BITSAdmin | Tool | [BITSAdmin](https://attack.mitre.org/software/S0190) can be used to create [BITS Jobs](https://attack.mitre.org/techniques/T1197) to launch a maliciou... |
References
- Counter Threat Unit Research Team. (2016, June 6). Malware Lingers with BITS. Retrieved January 12, 2018.
- Florio, E. (2007, May 9). Malware Update with Windows Update. Retrieved January 12, 2018.
- Hayashi, K. (2017, November 28). UBoatRAT Navigates East Asia. Retrieved January 12, 2018.
- Microsoft. (n.d.). Background Intelligent Transfer Service. Retrieved January 12, 2018.
- Microsoft. (n.d.). BITSAdmin Tool. Retrieved January 12, 2018.
- Microsoft. (n.d.). Component Object Model (COM). Retrieved November 22, 2017.
- Mondok, M. (2007, May 11). Malware piggybacks on Windows’ Background Intelligent Transfer Service. Retrieved January 12, 2018.
Frequently Asked Questions
What is T1197 (BITS Jobs)?
T1197 is a MITRE ATT&CK technique named 'BITS Jobs'. It belongs to the Stealth, Persistence, Execution tactic(s). Adversaries may abuse BITS jobs to persistently execute code and perform various background tasks. Windows Background Intelligent Transfer Service (BITS) is a low-bandwidth, asynchronous file transfer...
How can T1197 be detected?
Detection of T1197 (BITS Jobs) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1197?
There are 3 documented mitigations for T1197. Key mitigations include: User Account Management, Filter Network Traffic, Operating System Configuration.
Which threat groups use T1197?
Known threat groups using T1197 include: Patchwork, Leviathan, APT39, APT41, Wizard Spider.