If you are doing incident response, you must know what MITRE ATT&CK is. As it’s a great guide to threat actors tactics and techniques, I thought it’s a good idea to look at it from a forensic perspective.
The ATT&CK can definitelly help digital forensic analysts to find evil both during traditional host-based forensic activities and more incident response related those may include memory and network forensics.
The ATT&CK doesn’t include a lot of information about forensic artifacts left after usage this or that technique, so I decided to fill this gap and write a series of posts about it.
The first post of this series will cover the technique with ID 1197 – BITS Jobs.
According to the ATT&CK, “Windows Background Intelligent Transfer Service (BITS) is a low-bandwidth, asynchronous file transfer mechanism exposed through Component Object Model (COM)“. So, it can be used by the attackers to transfer malicious files to the compromised host or exfiltrate data, and even gain persistence, as BITS jobs default maximum lifetime is 90 days.
This technique has been seen in the wild, and used by a few groups. For example, APT40 used bitsadmin.exe to download additional tools.
For testing purposes, I’ve created a job to download Putty using BITSAdmin.
Let’s start from evidence of execution. For example, Prefetch files. As you know, these are located under C:\Windows\Prefetch and can be parsed, for example, with PECmd:
So we can see that bitsadmin.exe has been run at least 5 times. What is more, we have the timestamps!
Ok, let’s dig deeper and look into Windows Event Logs. From the Prefetch analysis we knew that the system is Windows 10, so we can look for EVTX files in C:\Windows\System32\winevt\Logs. The file of interest is Microsoft-Windows-Bits-Client%4Operational.evtx.
Here we have a small timeline of what was happening. Let’s start from event ID 3. It was created on 12.05.2019 at 09:30:40 and shows that BITS created a new job called “maljob” (sorry for the absence of screenshots – my laptop’s running Russian version of Windows 10, so the event descriptions are in Russian).
Next event ID – 59. This event was created at the same time as event ID 3, and says that BITS started “maljob” job connected with the following address: https://the.earth.li/~sgtatham/putty/latest/w64/putty.exe. So now we see what was downloaded and from which address. Not bad!
Event ID 60 at 09:30:51 – “maljob” was stopped with code 0, the transfer was finished successfully.
And the last one – ID 4. Here we have the user name who created the job and the number of files transfered.
Ok, now we know what was downloaded, but don’t know where. Let’s create a timeline and look what was created around that time:
So, it seems putty.exe has been downloaded to C:\Windows\System32 as svch0st.exe. And here we have a very interesting thing: only Metadata Change timestamps were changed, both $SYSTEM_INFORMATION and $FILE_NAME!
Here is the full set of downloaded file’s timestamps as displayed in FTK Imager (22.214.171.124):
We have gathered quite a lot of forensic artifacts, but it’s still not all. There is another useful source of BITS usage evidence – qmgr.dat located under C:\ProgramData\Microsoft\Network\Downloader. In Windows 10 it’s an ESE database, so it can be easily browsed and analyzed with, for example, ESEDatabaseView. Unfortunatelly, it doesn’t contain any info about finished jobs, but using a hex viewer you can find some pieces of useful info:
Before Windows 10 Version 1703 (Creators Update) this file was not in ESE format, but there is a tool for parsing it, it’s called bits_parser.
As you can see, we can find quite a lot using host-based forensics. If you enjoy this series please let me know – it’s very important. If you have any suggestions about which techniques should be covered first – let me know as well, for example, via Twitter.
Thanks for reading and happy forensicating!