Mitigation against BITS Jobs technique

Dr. Nachaat Mohamed
Published 06/17/2022
Share this on:

BITS Jobs techniqueWindows Background Intelligent Transfer Service (BITS) is a service that was first included with Windows XP, and it allows applications to transfer files in the background without interrupting the user. When an application wants to send or receive a file, BITS queues requests and determines the best delivery time. If the user is idle, BITS can use the spare bandwidth to download files; if the user is active, BITS will delay the transfer until the user is idle. This service helps keep applications running smoothly by ensuring that they can continue to be a service that transfers files between your computer and other computers or devices on your network. BITS uses peer-to-peer networking technology, which means that BITS can use your computer’s resources to transfer files to other computers or devices on your network.

 


 

Want More Tech News? Subscribe to ComputingEdge Newsletter Today!

 


 

BITS used by adversaries


BITS can be abused by adversaries to download, execute, and even clean up after running malicious code on a victim’s system. BITS is often used to download malware or other executables without drawing attention to something happening. Adversaries can also use BITS job objects to keep their activities hidden from administrators, making it difficult for security tools to detect malicious activity. Exfiltration, the unauthorized transfer of data from a computer system, is a critical security concern for governments and businesses. Often, sensitive data is exfiltrated through simple methods such as email or removable media. However, attackers have started to use more advanced techniques to avoid detection. Recent research has shown that the BITS (Background Intelligent Transfer Service) upload functionality can be used to exfiltrate data from systems without being detected. This finding underscores the importance of implementing strong security approaches. While the recent ransomware attacks have been in the spotlight, a different type of cyberattack has been happening in the background. APT39, a known Iranian threat group, has been using the BITS (Background Intelligent Transfer Service) protocol to exfiltrate stolen data from a compromised host. This is an interesting development because BITS is a low-bandwidth protocol that doesn’t cause performance degradation on the target system. In addition, it’s hard to detect because it seems to be a normal operation from a legitimate user. The Advanced Persistent Threat (APT), known as APT41, uses the Microsoft BITS Admin tool to download and install payloads on victims’ machines. This is not the first time that BITS Admin has been used in this way – the infamous Equation Group also used it in attacks dating back to at least 2010.

 

Manage BITS


BITS jobs can be managed through PowerShell and the BITS Admin tool. PowerShell is a task automation and configuration management framework from Microsoft. It consists of a command-line shell and associated scripting language built on the .NET Framework. Administrators use PowerShell to manage machines and automate common tasks. The BITS Admin tool is a command-line tool that helps administrators create, manage, and monitor jobs and transfers on the Background Intelligent Transfer Service (BITS) service. Together, PowerShell and the BITS Admin tool provide administrators with a robust set of tools for managing jobs.

 

Mitigation


Filter Network Traffic to only allow legitimate BITS traffic: Filtering network traffic is critical for ensuring your network’s security. Particularly in these days of ransomware and other malicious cyber-attacks, it’s important to ensure that only authorized traffic can reach your systems. One way of doing this is to use a filter to block all unauthorized traffic, which can be very labor-intensive and block legitimate traffic. A better solution is using a filter allowing only authorized BITS traffic. This will help to keep your systems safe.

User Account Management to limit access to the BITS interface to specific users or groups: User account management for the Background Intelligent Transfer Service (BITS) is a necessary precaution to limit access to the BITS interface to specific users or groups. By default, all users have access to the BITS interface and can start and stop jobs, configure job properties, and get job status information. In addition, administrators can use group policies to control access to the BITS interface for specific users or groups.

Operating System Configuration to reduce the default BITS job lifetime in Group Policy: A default Group Policy setting sets the maximum lifetime of a BITS job to two days. When configuring operating systems in an enterprise environment, it is often necessary to reduce this value to prevent jobs from running indefinitely. This can be accomplished by editing the Group Policy Object (GPO) linked to the organizational unit (OU) in which the target systems are located. This blog post will provide instructions for reducing the default BITS job lifetime on Windows Server 2008, 2012, and 2016 operating systems.

 

Conclusion


Windows Background Intelligent Transfer Service (BITS) is a service that transfers files between your computer and other computers or devices on your network. BITS uses peer-to-peer networking technology, which means that BITS can use your computer’s resources to transfer files to other computers or devices on your network. BITS is a reliable and controlled infrastructure that adversaries often use to transfer files. BITS allows files to be transferred in a way that is not easily monitored or traced. However, adversaries may use BITS to transfer files that contain malicious code or to transfer files that contain information that they wish to keep confidential. According to MITRE, to mitigate against BITS technique, we have to use 1) Filter Network Traffic to only allow legitimate BITS traffic, 2) User Account Management to limit access to the BITS interface to specific users or groups, and 3) Operating System Configuration to reducing the default BITS job lifetime in Group Policy.