MITRE ATT&CK LAB

MITRE ATT&CK

Various tests involving methods outlined within the MITRE ATT&CK framework

MITRE ATT&CK™ Analysis - T1197 BITS Jobs

less than 1 minute read

BITS Jobs Overview

BITS tasks are self-contained in the BITS job database. These tasks allow Persistence by creating jobs which last a long time (the default maximum time is 90 days), or by invoking an arbitrary program when a job completes or errors (this includes after system reboots)

BITS Jobs Analysis

Lab Example

RED TEAM: ATTACK

A Bits Job is setup to transfer cmd.exe to 3 arbitrary file names. The Bits Job commands which were run as seen through a SIEM solution are below, using this we can establish our persistence. The end result is whenever the specified files are ‘transferred’, which in this case is essentially a copy, the calculator is executed on this host.

T1122 - BITS Jobs 2

BLUE TEAM: DEFEND

This can sometimes be detected through Event ID 64 under Microsoft-Windows-Bits-Client/Operational and can be viewed on a system with live triage

bitsadmin /list /allusers /verbose

T1122 - BITS Jobs 1

You may also enjoy

ClearFake - Malware Analysis Lab

26 minute read

Analysis of ClearFake malware which is planted on compromised WordPress websites to convince unsuspecting visitors to download and run malware.

LummaC2 - Malware Analysis Lab

30 minute read

Analysis of a RAR file which leads to the discovery of malicious Github repositories designed to distribute malware.