Approved

This query is one you are recommended to read the full content of the post to use.

Live Discover Query - Living off the land BITS

  REVIEWED by Sophos 

There are many libraries one can use for making web calls, be it PowerShell, WinHTTP, XML but one of the more stealthy technologies is Background Intelligent Transfer Service (BITS). Information is available here as a starting point: https://docs.microsoft.com/en-us/windows/win32/bits/about-bits.  

It has been around for a long time and is used by Windows Update, SCCM, and numerous other Microsoft applications.  Although there is a COM API for interacting with it, from my experience Microsoft technologies are the main legitimate consumer of this service. With all the other libraries available, I suppose it's not typically used by third-parties may be due to lack of control or just the dependency of another service.  In the spirit of "living off the land", however, it's a perfect technology that can be leveraged due to trickle features so it's worth considering some of the basic functionality and what you can look out for to see if it's being used by a malicious process or bad actor.

The built-in command-line tool Bitsadmin.exe can be used to interact with the BITS service.  Details on the commands available are here: https://docs.microsoft.com/en-us/windows/win32/bits/bitsadmin-tool or from simply running bitsadmin /?.

Given that a new job could be created before files are added to the job, the following example query would consider both and also show you the files that are being downloaded:

select cmdline from sophos_process_journal where (cmdline like '%bitsadmin%/create%') or (cmdline like '%bitsadmin%/addfile%')

If you get any results it would be worth then considering who is creating this bitsadmin process and what are the files and locations being downloaded.

As PowerShell can also be used to set up the BITS Jobs and interact with the BITS service, e.g. the cmdlet 'Start-BitsTransfer,' it would also be worth paying attention to this and other related cmdlets. For example the help for 'Start-BitsTransfer' references:

  • Add-BitsFile
  • Complete-BitsTransfer
  • Get-BitsTransfer
  • Remove-BitsTransfer
  • Resume-BitsTransfer
  • Set-BitsTransfer
  • Suspend-BitsTransfer

The commands 'get-help Start-BitsTransfer -examples' or 'get-help Start-BitsTransfer -detailed' will also give some information.

So to interact from PowerShell it seems likely that from the command line the "BitsTransfer" keyword will be present.  So this could be worked into a general BITS query as a starting point as it seems distinct enough not to throw up too many false positives. 

It may be that you do have some legitimate software that does setup jobs using the above methods but this is all about understanding what is normal and iterating on the queries to highlight the abnormal.

Given the above information, the following query might be an interesting starting point:

select cmdline from sophos_process_journal where (cmdline like '%bitsadmin%/create%') or (cmdline like '%bitsadmin%/addfile%') or (cmdline like '%BitsTransfer%')

This might be a little open but worthy of running on a few representative clients to see what if anything is returned.  Hopefully, an avenue to delve into that could yield some unexpected/unwanted results.

Regards,
Jak