-
Notifications
You must be signed in to change notification settings - Fork 373
/
Copy pathbits_jobs.yml
31 lines (31 loc) · 1.54 KB
/
bits_jobs.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
name: BITS Jobs
id: dbc7edce-8e4c-11eb-9f31-acde48001122
version: 1
date: '2021-03-26'
author: Michael Haag, Splunk
description: Adversaries may abuse BITS jobs to persistently execute or clean up after
malicious payloads.
narrative: Windows Background Intelligent Transfer Service (BITS) is a low-bandwidth,
asynchronous file transfer mechanism exposed through Component Object Model (COM).
BITS is commonly used by updaters, messengers, and other applications preferred
to operate in the background (using available idle bandwidth) without interrupting
other networked applications. File transfer tasks are implemented as BITS jobs,
which contain a queue of one or more file operations. The interface to create and
manage BITS jobs is accessible through PowerShell and the BITSAdmin tool. Adversaries
may abuse BITS to download, execute, and even clean up after running malicious code.
BITS tasks are self-contained in the BITS job database, without new files or registry
modifications, and often permitted by host firewalls. BITS enabled execution may
also enable persistence by creating long-standing jobs (the default maximum lifetime
is 90 days and extendable) or invoking an arbitrary program when a job completes
or errors (including after system reboots).
references:
- https://attack.mitre.org/techniques/T1197/
- https://docs.microsoft.com/en-us/windows/win32/bits/bitsadmin-tool
tags:
category:
- Adversary Tactics
product:
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud
usecase: Advanced Threat Detection