Home
ATT&CK Techniques
T1197 BITS Jobs

T1197 BITS Jobs

Adversaries may abuse BITS jobs to persistently execute code and perform various background tasks. Windows Background Intelligent Transfer Service (BITS) is a low-bandwidth, asynchronous file transfer mechanism exposed through Component Object Model (COM).(Citation: Microsoft COM)(Citation: Microsoft BITS) BITS is commonly used by updaters, messengers, and other applications preferred to operate in the background (using available idle bandwidth) without interrupting other networked applications. File transfer tasks are implemented as BITS jobs, which contain a queue of one or more file operations.

The interface to create and manage BITS jobs is accessible through PowerShell and the BITSAdmin tool.(Citation: Microsoft BITS)(Citation: Microsoft BITSAdmin)

Adversaries may abuse BITS to download (e.g. Ingress Tool Transfer), execute, and even clean up after running malicious code (e.g. Indicator Removal). BITS tasks are self-contained in the BITS job database, without new files or registry modifications, and often permitted by host firewalls.(Citation: CTU BITS Malware June 2016)(Citation: Mondok Windows PiggyBack BITS May 2007)(Citation: Symantec BITS May 2007) BITS enabled execution may also enable persistence by creating long-standing jobs (the default maximum lifetime is 90 days and extendable) or invoking an arbitrary program when a job completes or errors (including after system reboots).(Citation: PaloAlto UBoatRAT Nov 2017)(Citation: CTU BITS Malware June 2016)

BITS upload functionalities can also be used to perform Exfiltration Over Alternative Protocol.(Citation: CTU BITS Malware June 2016)

View in MITRE ATT&CK®

CRI Profile Mappings

Capability ID	Capability Description	Mapping Type	ATT&CK ID	ATT&CK Name	Notes
PR.PS-01.01	Configuration baselines	Mitigates	T1197	BITS Jobs	Comments This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation. References
PR.PS-01.02	Least functionality	Mitigates	T1197	BITS Jobs	Comments This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques. References
PR.PS-01.03	Configuration deviation	Mitigates	T1197	BITS Jobs	Comments This diagnostic statement provides protection from BITS Jobs through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baseline configuration of the Operating System and integrity checking can help protect against adversaries attempting to compromise and elevate privileges. References
PR.AA-01.02	Physical and logical access	Mitigates	T1197	BITS Jobs	Comments This diagnostic statement describes how the organization ensures users are identified and authenticated before accessing systems, applications, and hardware, with logical access controls permitting access only to authorized individuals with legitimate business needs. Logical access controls in relation to systems can refer to the use of MFA, user account management, and other role-based access control mechanisms to enforce policies for authentication and authorization of user accounts. References
PR.IR-01.02	Network device configurations	Mitigates	T1197	BITS Jobs	Comments This diagnostic statement provides protection through secure network device configurations (e.g., firewall rules, ports, protocols) aligned to security baselines. Using network appliances to to only allow legitimate BITS traffic can mitigate adversary abuse of BITS Jobs. References
PR.IR-01.03	Network communications integrity and availability	Mitigates	T1197	BITS Jobs	Comments This diagnostic statement protects against BITS Jobs through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation. References
PR.AA-01.01	Identity and credential management	Mitigates	T1197	BITS Jobs	Comments This diagnostic statement protects against BITS Jobs through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts. References
PR.PS-01.08	End-user device protection	Mitigates	T1197	BITS Jobs	Comments This diagnostic statement protects against BITS Jobs through the use of limiting access to resources to only authorized devices, management of personal computing devices, network intrusion prevention, and the use of antimalware. References

NIST 800-53 Mappings

Capability ID	Capability Description	Mapping Type	ATT&CK ID	ATT&CK Name
CA-07	Continuous Monitoring	mitigates	T1197	BITS Jobs
CM-06	Configuration Settings	mitigates	T1197	BITS Jobs
CM-05	Access Restrictions for Change	mitigates	T1197	BITS Jobs
SI-10	Information Input Validation	mitigates	T1197	BITS Jobs
SI-15	Information Output Filtering	mitigates	T1197	BITS Jobs
IA-02	Identification and Authentication (Organizational Users)	mitigates	T1197	BITS Jobs
CM-07	Least Functionality	mitigates	T1197	BITS Jobs
SI-04	System Monitoring	mitigates	T1197	BITS Jobs
AC-02	Account Management	mitigates	T1197	BITS Jobs
AC-03	Access Enforcement	mitigates	T1197	BITS Jobs
AC-04	Information Flow Enforcement	mitigates	T1197	BITS Jobs
AC-05	Separation of Duties	mitigates	T1197	BITS Jobs
AC-06	Least Privilege	mitigates	T1197	BITS Jobs
SC-07	Boundary Protection	mitigates	T1197	BITS Jobs

VERIS Mappings

Capability ID	Capability Description	Mapping Type	ATT&CK ID	ATT&CK Name	Notes
action.malware.variety.Export data	Export data to another site or system	related-to	T1197	BITS Jobs