Threat Hunting – A proactive Method to Identify Hidden Threat

According to ISO 27005, a threat is defined as a potential cause of an incident that may cause harm to systems and organization. Software attacks, theft of intellectual property, identity theft, sabotage, and information extortion are examples of information security threats. As a result, most of the organization chose active threat hunting practice to defend their organization from the network’s unknown threat.

Table of Content

What is Threat Hunting?

Why threat hunting is important?

Who is threat hunter?

What Are the IOCs?

Threat Hunting Plan

  • Design Your Network for Hunting
  • Get your Team Ready
  • Know your Enterprise
  • Collect Hunt Data
  • Know Your Adversary TTP
  • Threat Intelligence Feeds
  • Create a Hypothesis
  • Hunt Cycle
  • Measuring Success
  • Resources

What is threat hunting?

Threat hunting is a proactive offense approach that security professionals use with the aid of Intel Threat. It consists of iteratively scanning through networks to detect compromise indicators (IoCs) and threats such as Advanced Persistent Threats (APTs) which bypass your existing security framework.

Analysts monitor, detect and delete active opponents in a network. They do this as early as possible in order to minimize damage and to reduce the time needed to identify a suspected threat.

Threat hunting tools and techniques are used by researchers to monitor and detect hidden activities. An example of a threat hunting Framework is, implemented N-SOC as part of a next-generation SIEM framework.

The SANS Institute authors expand on the cyber threat hunting process, calling it an active defense strategy consisting of:

Intelligence: The process of collecting data, turning the data into usable information, analyzing the potentially competing sources of that information to produce a tactical defense strategy.

Offense: The countermeasures organizations may take to defend against cyberattacks, in particular Advanced Persistent Threats (APT).

Why threat hunting is Important?

Threat hunting’s main purpose is to reduce the time needed to find signs of threats who have already breached the IT infrastructure. Since zero-day and Advanced Persistent Threats (APT) continue to challenge security staff, researchers are implementing threat analysis tools and approach to discover threats more efficiently. Through discovering these imprints as soon as possible, the risk of breaches can be reduced on the enterprise.

Other benefits of threat hunting include:

  • Identification of gaps in visibility necessary to detect and respond to a specific attacker TTP.
  • Classification of gaps in finding.
  • Advancement of new monitoring use cases and detection analytics.
  • Exposing new threats and TTPs that response to the threat intelligence process.
  • Recommendations for new preventive measures.

Who is threat hunter?

A threat hunter is a security professional who is skilled to recognize, isolate and defuse APTs by using manual or AI-based techniques because such threats can not be detected by network monitoring tools. He may hunt for insider provocations or outside intruders to uncover risks posed by malicious actor typically employees, or outsiders, including a criminal organization.

Threat hunting activity is mainly related to the NSOC, which represents the Next-Generation Security Operations Center because the threat hunter reports to the threat hunting team manager for hidden threats, who reports to the Chief Information Security Officer (CISO) and is further reported to the SOC manager for integration with the Security Operations Center (SOC) 

What Are the IOCs?

Threat Intelligence feeds can aid in this phase by defining specific vulnerability identifying common indicators (IOCs) and suggesting measures necessary to prevent threat or breach.

Some of the most common indicators of compromise include:

  • A case would be when the intrusion that attacks an organizational host that established a connection with attackers such as IP addresses, URLs and Domain names
  • An example will be a phishing campaign based on an unwilling user clicking on a connection or attachment and a harmful instruction being activated such as Email addresses, email subject, links and attachments.
  • An instance would be an attempt by an external host that has already been detected for malicious behaviours such as Registry keys, filenames and file hashes and DLLs.

Threat Hunting Plan

The cyber threat hunting team should be answerable to these questions before planning for the operation.

  1. What is it that you hunt? You have to select exactly which adversaries you’re chasing for.
    • Exploitation?
    • Lateral movement?
    • Exfiltration?
  2. Where are you going to find the opponent/adversaries/IOC?
  3. How would you consider an opponent/adversaries/IOC?
  4. When will you find it?

The Chief Information Security Officer (CISO) should prepare a complete checklist that would be required for effective threat hunting before beginning the threat hunting operation within the company. This helps the team define the resources and tools used in the project and create a parallel strategy as the backup plan if the primary process fails.

1. Design Your Network for Hunting

It is important to consider that the proactive threat hunting should be conduct in a well secure environment where Chief information Security Office arrange all network essential equipment required in the activity, such as given below.

  • Segmentation : Security Zones
  • NTP : Network Time Protocol
  • Protection/Detection : FW/IDS/IPS/DLP/Proxy
  • Tapping : Dump PCAP Data
  • Visibility : Enable Logging as required

2. Get your Team Ready

The officer should build a team of professionals that are spontaneous in doing their job as per the situation requirements and know the situational awareness.

The skill of a threat hunter:

Proactively hunts for known adversaries—He is capable to identify the pattern of malicious code used by famous attackers that match to threat intel feeds or blacklist of known program.

Prevent the attack by identifying unknown threats— Threat hunters evaluate the computer system by means of constant surveillance. They choose behavioural analysis to identify abnormalities that indicate a threat.

Implements the incident response proposal—Hunters collect as much information as possible when they identify a threat before conducting an incident response strategy to nullify it. This could be used to refine the response plan and prevent future attacks.

3. Know your Enterprise

Group members should be mindful of the organization’s jewel crown by knowing the valuable assets and recognizing threat carriers that might affect the company. They should be able to calculate the effect of risk by prioritizing the unknown threat within the network.

Hence, they should be able to classify the following checklist for their organization:

  • Identify Assets
  • Know Threats to Your Assets
  • Prioritize ( High Value / Critical Assets First )
  • Baselining – Know what is normal ?

4. Know Your Adversary TTP

The Threat Hunters team aims to evaluate Tactics, Techniques, and Procedures (TTPs) that are learned from the indicators with the help of a process known as “Attack Tree Analysis” that includes defining certain measures an attacker can take to break the networks of an organization (Schneier, 1999). “The Lockheed Martin Cyber Kill Chain,” which describes one way of determining where an adversary’s actions occurred in the attack chain. Intruders also follow these steps on the Cyber Kill Chain while striving to get into a network or web server.

A cyber kill chain is a ‘Lockheed Martin’ model that uncovers the phases of a cyber-attack from early reconnaissance to the objective of data exfiltration: Flow Data NetFlow PCAP DNS Proxy Logs FW/SW/Routers.

5. Collect Hunt Data

When conducting the threat hunting task, the collection of hunting data is a very valuable phase in which one must collect the malicious data from the logs created in the network by monitoring the security equipment installed in the network in order to filter packets. Indeed, this phase is the big contribution in providing threat Intel feeds.

Through analyzing logs at each grade, the specialist may recognize the unknown threat carriers that would be active over a long period of time in the network and may constitute a threat of zero-day.

6. Threat Intelligence Feeds

 CTI is focused on data collection and analysis to identify potential or current threats to an IT infrastructure. This helps organizations to proactively defend critical infrastructure or intellectual property of an entity from cyber-attacks by using open-source intelligence (OSINT), social media intelligence (SOCMINT), human intelligence (HUMINT), deep and dark web technological intelligence or intelligence Security teams look for Indicators of Compromise (IoCs) for persistent threats and zero-day (recently discovered) exploits.

The cyber threat intel Feeds can be categorized in two broad categories:

Free Available: Open Source, OSINT, Social Listing

Paid: Private, Government, commercial vender

The intelligence feeds are continual streams of credible information about existing or potential threats and bad actors. The researchers are collecting security data from several sources on IoCs such as abnormal behaviour and suspicious domains and IP addresses. They can then correlate the information and process it to generate reports of threat intelligence and management.

7. Create a Hypothesis

8. Hunting cycle

The team should follow a common framework at the time of threat hunting which defines the threat hunting cycle process. It is a closed-loop that forms a model process for effective hunting which defines four vital stages.

Hypothesis: – Cyber threat hunting is started by making informative beliefs, about the different types of adversarial effects or behaviours that exist in your business network.

Investigate via tools & technique: – Hypotheses are examined via multiple tools and techniques in Identifying the relationship between different data sets. An analyst can use these to discover new malicious patterns in their data and reconstruct complex attack paths to reveal an attacker’s Tactics, Techniques, and Procedures (TTPs).

Uncover new pattern & TTP: – A hunter often uses manual methods, tool-based workflows or analytics to discover the specific patterns or anomalies that may be detected in an investigation. What you will find in this phase is a critical part of a hunt’s success criteria. Even if an anomaly or intruder is not detected, you want to be able to rule out the existence of a particular strategy or compromise. Essentially, this step acts as the step of “proving or disproving the hypothesis.”

Inform Enrich & Analytic: – Lastly, effective hunts form the basis for guiding and empowering predictive analytics. Do not waste time doing the same hunts over and over with your squad. If you discover an indicator or pattern that may reoccur in your system, automate its monitoring to keep your team focused on the next new hunt. Hunting information can be used to upgrade existing monitoring systems, which could include modifying SIEM rules or signatures for analysis.

9. Measuring Success

Once the hunting operation cycle has been completed, it is important to evaluate the finding and the assign task KRA to measure the success matrix.

  • Number of Incidents by severity
  • Number of Compromised Hosts
  • Dwell Time of Incidents Discovered.
  • Logging Gaps Identified and Corrected
  • Vulnerabilities Identified
  • Insecure Practices Identified and Corrected
  • Hunts Transitioned to Analytics
  • New Visibilities Gained

Resources:

TaHiTI-Threat-Hunting-Methodology-whitepaper.pdf

D2 BSIDES – Hunting Threats in Your Enterprise

Sqrrl: A Framework for Cyber Threat Hunting

Author: Nisha Sharma is trained in Certified Ethical hacking and Bug Bounty Hunter. Connect with her here

Evil SSDP: Spoofing the SSDP and UPnP Devices

TL; DR

Spoof SSDP replies and creates fake UPnP devices to phish for credentials and NetNTLM challenge/response.

Disclaimer

Table of Content

  • Introduction
    • What is SSDP?
    • What are UPnP devices?
  • Installation
  • Spoofing Scanner SSDP
    • Template Configuration
    • Manipulating User
    • Grabbing the Credentials
  • Spoofing Office365 SSDP
    • Template Configuration
    • Manipulating User
    • Grabbing the Credentials
  • Spoofing Password Vault SSDP
    • Template Configuration
    • Manipulating User
    • Grabbing the Credentials
  • Spoofing Microsoft Azure SSDP
    • Template Configuration
    • Manipulating User
  • Mitigation

Introduction

What is SSDP?

SSDP or Simple Service Discovery Protocol is a network protocol designed for advertisement and discovery of network services. It can work without any DHCP or DNS Configuration. It was designed to be used in residential or small office environments. It uses UDP as the underlying transport protocol on port 1900. It uses the HTTP method NOTIFY to announce the establishment or withdrawal of services to a multicast group. It is the basis of the discovery protocol UPnP.

What are UPnP devices?

UPnP or Universal Plug and Play is a set of networking protocols that allows networked devices, such as personal computers, printers, Internet gateways, Wi-Fi access points, and mobile devices to discover each other’s availability on the network and establish network services for communications, data sharing, and entertainment. The UPnP architecture supports zero-configuration networking. A UPnP compatible device from any vendor can dynamically join a network, obtain an IP address, announce its name, advertise or convey its capabilities upon request, and learn about the presence and capabilities of other devices.

Now that we understood the basic functions of SSDP or UPnP, let’s use it to manipulate the target user in order to steal their credentials.

Installation

The Evil SSDP too was developed by initstring. This tool is hosted on the GitHub. We will be using the git clone command to clone all the contents of the git onto our attacker machine. The git clone command will create a directory with the same name as on GitHub. Since the tool is developed in Python version 3, we will have to use the python3 followed by the name of the .py file in order to run the program. Here we can see a basic help screen of the tool.

In the cloned directory, we will find a directory named templates. It contains all the pre complied templates that can be used to phish the target user.

Spoofing Scanner SSDP

Now, that we ran the tool without any issues, let’s use it to gain some sweet credentials. In this first Practical, we will be spoofing a Scanner as a reliable UPnP device. To begin, we will have to configure the template.

Template Configuration

To use the tool, we will have to provide the network interface. Here, on our attacker machine, we have the “eth0” as our interface, you can find your interface using the “ifconfig” command.

After providing the interface, we will use the “–template” parameter to pass a template that we found earlier in the templates directory. To spoof a scanner, we will be running the following command. As we can see that the tool has done its job and hosted multiple template files on our attacker machine at port 8888. We also have the SMB pointer hosted as well.

Manipulating User

The next logical step is to manipulate the user to click on the application. Being on the same network as the target will show our fake scanner on its explorer. This is where the UPnP is in works. The Evil SSDP tool creates this genuine-looking scanner on the system on the target without any kind of forced interaction with the target.

Upon clicking the icon inside the Explorer, we will be redirected to the default Web Browser, opening our hosted link. The templates that we used are in play here. The user is now aware he/she is indeed connected to a genuine scanner or a fake UPnP device that we generated. Unaware target having no clue enters the valid credentials on this template as shown in the image given below.

Grabbing the Credentials

As soon as the target user enters the credentials, we check our terminal on the attacker machine to find that we have the credentials entered by the user. As there is no conversation required for each target device, our fake scanner is visible to each and every user in the network. This means the scope of this kind of attack is limitless.

Spoofing Office365 SSDP

In the previous practical, we spoofed the scanner to the target user. Now, ongoing through the template directory, we found the Office365 template. Let’s use it.

Template Configuration

As we did previously, let’s begin with the configuration of the template as well as the tool. We are going to use the python3 to run the tool followed by the name of the python file. Then providing the network interface which indeed will be followed by the template parameter with the office365.

As we can see that the tool has done its job and hosted multiple template files on our attacker machine at port 8888.

Manipulating User

As soon as we run the tool, we have a UPnP device named Office365 Backups. This was done by the tool without having to send any file, payload or any other type of interaction to the target user. All that’s left is the user to click on the icon.

Upon being clicked by the user, the target user is redirected to our fake template page through their default browser. This is a very genuine looking Microsoft webpage. The clueless user enters their valid credentials onto this page.

Grabbing the Credentials

As soon as the user enters the credentials and they get passed as the post request to the server, which is our target machine, we see that on our terminal, we have the credentials.

Diverting User to a Password Vault SSDP

Until now, we successfully spoofed the target user to gain some scanner credentials and some Office365 backup credentials. But now we go for the most important thing that is used as a UPnP, The Password Vault.

Template Configuration

As we did in our previous practices, we will have to set up the template for the password-vault. In no time, the tool hosts the password-vault template onto the port 8888.

Manipulating User

Moving onto the target machine, we see that the Password Vault UPnP is visible in the Explorer. Now lies that the user clicks on the device and gets trapped into our attack. Seeing something like Password Vault, the user will be tempted to click on the icon.

As the clueless user thinks that he/she has achieved far most important stuff with the fake keys and passwords. This works as a distraction for the user, as this will lead the user to try this exhaustive list of credentials with no success.

Spoofing Microsoft Azure SSDP

While working with Spoofing, one of the most important tasks is to not let the target user know that he/she has been a victim of Spoofing.  This can be achieved by redirecting the user after we grab the credentials or cookies or anything that the attacker wanted to acquire. The evil_ssdp tool has a parameter (-u) which redirects the targeted user to any URL of the attacker’s choice. Let’s take a look at the working of this parameter in action.

To start, we will use the python3 for loading the tool. Followed by we mention the Network Interface that should be used. Now for this practical, we will be using the Microsoft Azure Storage Template. After selecting the template, we put the (-u) parameter and then mention any URL where we want to redirect the user. Here we are using the Microsoft official Link. But this can be any malicious site.

Manipulating User

Now that we have started the tool, it will create a UPnP device on the Target Machine as shown in the image given below. For the attack to be successful, the target needs to click on the device.

After clicking the icon, we see that the user is redirected to the Microsoft Official Page. This can be whatever the attacker wants it to be.

This concludes our practical of this awesome spoofing tool.

Mitigation

  • Disable UPnP devices.
  • Educate Users to prevent phishing attacks
  • Monitor the network for the password travel in cleartext.

Author: Kavish Tyagi is a Cybersecurity enthusiast and Researcher in the field of WebApp Penetration testing. Contact here

Windows Persistence using Application Shimming

In this article, we are going to describe the persistence of the Application Shimming and how vital it is in Windows Penetration Testing.

TL; DR

Application Shimming is a technique used on Windows OS that can be used to make the applications developed for the earlier versions of Windows OS still work on the latest version of Windows

Table of Content

  • Introduction
    • What is Application Shimming?
    • How does Application Shimming work?
  • Configurations used in Practical
  • Persistence using Application Shimming
    • Malicious DLL Creation
    • Injecting Malicious DLL
    • Installing Infected Executable
    • Gaining Persistent Shell
  • Detection
  • Mitigation
  • Conclusion

Introduction

What is Application Shimming?

Ever since the early stages of Microsoft Windows, there have been some fundamental features that have been part of the Windows basic Functionalities. One of them is their “Backward Compatibility”. What it means is that if your Software was developed earlier like at the time of Windows XP. But now we have Windows 10 and you are worried that if the Windows will able to run that piece of software as it has updated. Here, the Backward Compatibility comes into play. It gives us the ability to run the software on the Windows OS that was not developed on that particular OS.

The “Shim Infrastructure” or how they like to call it at the big house “Microsoft Windows Application Compatibility Infrastructure” helped its user get that backward compatibility. Now the thing to keep in mind is that during all those years of development, Windows kept its basic Architecture the same. They developed around the same framework that they started to work in the early nineties. This means that there are still some bits of code in the Windows 10 that has been there since the times of Windows 95.

How does Application Shimming Work?

The Shim Infrastructure applies a method of Application Programming Interface (API) hooking. Explicitly, it forces the nature of linking to redirect API calls from Windows itself to alternative code – the shim itself. The Windows Portable Executable (PE) and Common Object Format (COFF) Specification includes several headers, and the data directories in this header provide a layer of indirection between the application and the linked file. Calls to external binary files take place through the Import Address Table (IAT). Consequently, a call into Windows looks like the image shown below to the system.

We can modify the address of the Windows function fixed in the import table, and then replace it with a pointer to a function into the alternate shim code, as shown in the image given below.

This indirection happens statically linked .dll files when the application is loaded. You can also shim dynamically linked .dll files by hooking it with an API.

Configurations used in Practical

Attacker:

OS: Kali Linux 2019.4

Tools: MSFVenom, Metasploit Framework

Target:

OS: Windows 10 (Build 1909)

Tools: Windows Assessment and Deployment Kit (Windows ADK), PuTTY.exe

You can download the Tools by clicking on Their Name.

Persistence using Application Shimming

Application Shimming can perform many functions but we will be focusing on gaining a persistence shell on the Target System for now. This practical was tested in a lab-controlled environment where we have the configurations set for minimum interference. The actual real-life scenario can differ.

Malicious DLL Creation

To begin the exploitation, we decided to create a payload using the MSFVenom tool. We used the reverse_tcp payload with the target to be Windows System and gaining a shell. We defined the LHOST for the IP Address for the Attacker Machine followed by the subsequent LPORT on which we will be receiving the session from the target machine. We created this payload in the form of a Dynamic Link Library or DLL and named it inject.dll

As discussed in the Configurations used section we need the Windows Assessment and Deployment Kit. After downloading and installing it, we have service inside it. Its called Compatibility Administrator. We are going to need it to proceed further.

Now in our Attacker Machine, we transferred the recently created DLL to the Target Machine. We use the python one-liner for it. There are lots of ways this can be done. We start a Multi/Handler on the Attacker Machine with the proper configuration to receive the session that will be generated soon.

Injecting Malicious DLL

Now we will divert our attention to the Target Machine. After browsing the IP Address of the Attacker Machine and downloading the Malicious DLL file, we open the Compatibility Administrator as shown in the image given below. Here we are using the 32-bit version as it is easier to bind the DLL to it. We also created a new custom Database.

Now we begin the process of binding the safe and original Executable without malicious DLL file. We right-clicked on our newly created Database and choose the First option in the Dropdown Menu called Create New. This leads to opening a sub-drop-down menu. We choose the Application Fix option as shown in the image given below. We can also use the Shortcut by pressing the Ctrl key and P key simultaneously.

As soon as we click on that Application Fix option, we have ourselves a Config Window Titled “Create New Application Fix”. We enter the name of the Program to be fixed as “putty”. And we provide the path of the executable to the program we want to inject our malicious DLL into. In this case, we provide the path of the PuTTY.exe and hit Next.

Now we are asked the compatibility modes. This would have been important if we were fixing a genuine executable. Or using the Shimming for genuine purposes. As we are not doing any of that, we will skip this step and straight-up hit the “Next” button and move on.

Now we are at an important step. We are asked the compatibility fix that we want to apply to the executable. We choose the “InjectDll” option from the list as shown in the image given below. After checking the box we hit the “Parameters” button to provide the path of out malicious DLL that we created at the start of the exploitation.

This opens up a new small window asking the Command-Line. Here we provide the path of our malicious DLL and click OK button.

Back to out config window, we click the Next Button and now we have the Matching Information panel in front of us. We click on “Unselect All” Button as we don’t want to add any more additional configurations to out payload. At last, we hit the Finish Button.

This closes the config window. We are back to our Compatibility Administrator window. We click the Save button as shown in the image below to inject our DLL in the PuTTY executable.

We are asked to name the database, we name it puttyshim. This can be whatever you want. In real life attacking situations choose the name that is less conspicuous.

After naming the database we are asked the location, where we want to save the AppCompat Database or the .sdb file of the complete configuration.

Installing Infected Executable

Now that this is done, we will now install the now infected Executable on the Target Machine. This can be done by right-clicking on the name of the database and choosing the Install option from the drop-down button.

This initiates an installation process that will installed our infected executable as a service. We can see that in the Programs and Features section inside the Control Panel as shown in the image below. If we had added the Publisher or Vendor Information at the earlier stage it would have appeared here.

 

Gaining Persistent Shell

Now when we execute the service that we just shimmed and installed. As soon as we have the program executed on the target machine, we will receive a shell on our attacker machine as shown in the image below. We can add the infected service in the startup service list to receive the shell every time the Target system reboots.

This concluded the exploitation. Now let’s talk defense mechanisms.

Detection

There are many tools available that can detect the applications that have been shimmed.

  • Shim-File-Scanner: Scans Files/Folders for non-default shims and checks registry for installed shims
  • Shim-Process-Scanner: Will search all process for shim flags and also check for the Shim App Helper

Other than that the process of shimming creates a bloody trail that leads right to the smoking gun aka the shimmed application. Shimming creates a trial inside the Registry at the following locations.

  • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom
  • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\InstalledSDB

Apart from the registry, we have some locations on the Drives where we can find evidence for the Application Shimming.

  • C:\Windows\AppPatch\Custom\
  • C:\Windows\AppPatch\Custom\Custom64\

We can also create custom Yara Rules and snort rules that could detect Application Shimming.

Mitigation

As always, the first line of defense against any kind of attack is keeping our infrastructure and devices updated. Microsoft released this patch for restricting the Shim Application to bypass the UAC.

Some tools like the one in the Detection section can be used for mitigating the Applications Shimming.

Shim-Guard: Detects and alert on newly installed shims

We can also implement strict UAC policies to notify when a user is getting elevated privileges.

Conclusion

This kind of attack is very much happening in real life. There have been multiple incidents targeted to different environments where the large scale compromise was done using the Applications Shimming.

Stay Tuned!

MITRE|ATT&CK

Black Hat USA

FireEye

Author: Kavish Tyagi is a Cybersecurity enthusiast and Researcher in the field of WebApp Penetration testing. Contact here

Windows for Pentester: BITSAdmin

In this article, we are going to describe the utility of the BITSAdmin tool and how vital it is in Windows Penetration Testing.

TL; DR

BITSAdmin is a tool preinstalled on Windows OS that can be used to download malicious files. It is one of the Living Off Land (LOL) Binaries.

Disclaimer

The main objective of publishing the series of “Windows for Pentester” is to introduce the circumstances and any kind of hurdles that can be faced by any Pentester while solving CTF challenges or OSCP labs which are based on Windows Operating System. Here we do not criticize any kind of misconfiguration that a network or system administrator does for providing higher permissions on any programs/binaries/files & etc.”

Table of Content

  • Introduction
    • What is BITSAdmin?
  • Configurations used in Practical
  • Working with BITSAdmin
    • Downloading using /transfer Switch
    • Downloading using /addfile Switch
    • Downloading using PowerShell Cmdlet
    • Downloading using One-liner
  • Penetration Testing using BITSAdmin
    • Compromising using Malicious Executable
    • Compromising using File-Less Payload
    • Compromising with Malicious Executable inside ADS
  • Persistence using BITSAdmin
  • Detection
    • SC Query
    • QMGR Database
    • Verbose Switch
    • Event Logs
  • Mitigation
  • Conclusion

Introduction

What is BITSAdmin?

Background Intelligent Transfer Service Admin is a command-line tool that creates downloads or uploads jobs and monitors their progress. BITSAdmin was released with the Windows XP. At that time, it used the IBackgroundCopyJob as its interface. The Upload option of the BITSAdmin was introduced with the release of Windows Server 2003. With the release of Windows Vista, we had some more additional features like Custom HTTP headers, Certificate-based client authentication, IPv6 support. Subsequent year was the release of the Windows Server 2008, it introduced the File Transfer Notification Method (which we use it to run an executable in Practical #5). Windows 7 introduced Branch Cache Method for the BITS Transfer. When BITS downloads a file, the actual download is done behind the svchost.exe service. BITSAdmin is used to download files from or upload files to HTTP web servers and SMB file shares. It takes the cost of the transfer into account, as well as the network usage so that the user’s foreground work is not influenced. BITS has the ability to handle network interruptions, pausing and automatically resuming transfers, even after a reboot.

Configurations used in Practical

Attacker:

  • OS: Kali Linux 2019.4
  • IP: 192.168.1.13

Target:

  • OS: Windows 10 (Build 18363)
  • IP: 192.168.1.11

Working with BITSAdmin

As we discussed in the introduction that BITSAdmin is used as a download client. Now we will see the BITSAdmin in action. There are 2 switches to download a file in BITSAdmin, first one is ‘/transfer’ and ‘/addfile’. The working of both these parameters is quite identical. But the way these switches present the progress and completion feedback is different. BITSAdmin downloads files in the form of jobs. A job has to be defined before moving forward. After downloading we can work on the jobs using the various switches.

Practical #1: Downloading using /transfer Switch

The /transfer switch is a short and quick way to download any file from the remote server to the Host Machine. To begin the transfer, we need to define the Display Name of the transfer. It can be anything the user wishes.

Here, we named all our transfers as “hackingarticles”. Now after defining the name, we need to enter the location with the name of the file from the remote server. For the Test Environment, we have a sample image file named ignite.png at the remote server. We mention it and we also mention the Local Location and Name of the file. After providing all this information we hit Enter key and the transfer begins.

We can see that we can see the State as Transferred and we also get a confirmation “Transfer complete”. We perform a directory Listing to check the file and we are assured that the file was indeed transferred successfully.

Practical #2: Copying Files Locally

BITSAdmin works on the principle of File Transfer. Hence, we can also use it as a glorified copy and paste command. This means that BITSAdmin will also be able to transfer from one location to another on the same machine. Let’s give it a try.

As we already know that the BITSAdmin deals with jobs. So, we will first declare a job. We named it hackingarticles.

The file that is supposed to be transferred should be added to the job. We use the /addfile switch to complete this task. We will be transferring the file.txt from “C:\” to “C:\Users\Victim\Desktop\”.

Now to initiate the transfer we will be using the /resume switch. This will sound different but the /resume switch does, in fact, initiate the transfer.

Now, when the transfer initiated. It transfers the file in the form of a temporary file. To actually get the file fully we will need to run the /complete switch. And as we can see that file is successfully transferred to the Destination.

We can see that the intended file is successfully downloaded on the Target System.

Practical #3: Downloading using PowerShell Cmdlet

The practicals that we showed just now can be performed on Windows Command Prompt (cmd.exe) as well. With the release of the Windows Server 2016, Microsoft has released a cmdlet specifically for the PowerShell to manage the BITS Jobs using BITSAdmin Client. It is named as Start-BITSTransfer.

For the transfer using this cmdlet, we don’t have to mention the name of the Job. We can just define the Source and Destination as shown in the image given below.

Note: If while penetration testing, we get an environment that is strictly PowerShell and we are not able to use the BITSAdmin normally, we can use this method.

Practical #4: Downloading using One-liner

We can transfer our files using BITSAdmin in one execution. This is a good example when we are in a hurry for a transfer. Instead of declaring the job, add the file to the job, resuming the job and complete the job in different steps we can complete all the steps required to transfer in this one-liner. This method gets the work done in one go. This can also be used to push in a location where we can execute a single instance of command.

Penetration Testing using BITSAdmin

BITSAdmin can perform many more functions (like upload files, etc.) but we will be focusing on Penetration Testing for now.

Practical #5: Compromising using Malicious Executable

It’s time to move on from utility to Penetration Testing. We will be getting a meterpreter session using a payload which will be downloaded and executed using the BITSAdmin. These practical were tested in a lab-controlled environment where we have the same network configuration for the entirety of the Practical. So, we created the payload once and used it multiple times.

To begin the exploitation, we decided to create a payload using the msfvenom tool. We use the reverse_tcp payload with the target to be Windows System and gaining meterpreter. We defined the Lhost for the IP Address for the Attacker Machine followed by the subsequent Lport on which we will be receiving the session from the target machine. We created this payload in the form of an executable and sent this payload to the /var/www/html/ directory.

After the payload creation, we start the apache2 service so that the payload is available to download on the Local Network.

After serving the payload on the web server, we will run the listener which can capture the meterpreter session when it will get generated.

We set the proper configuration of the payload. We set the attacker machine’s IP address as the localhost address and the port that we mentioned while creating the payload as a local port.

In our previous practices, we downloaded a file, now we will download the payload using the same technique. But as BITSAdmin can also execute the payload by itself we will define parameters for it.

Starting with creating a job named “hackingarticles”, then we add the payload file in the job that we just created.

After adding the file, we use the /SetNotifyCmdLine switch to execute the payload. This is done with the help of an action that we scripted. First, it will start the cmd.exe and then, it will complete the download and then it will execute the said command in the background.

After this, we run the /resume switch to get the download started.

After the download completes, it executes the payload and we have ourselves a meterpreter session.

Practical #6: Compromising using File-Less Payload

In the previous practical, we created a payload file and then gained a session from it. This method creates a file that can be detected. In other words, it was traceable. But as BITSAdmin can execute a command directly we can exploit the target without using a file.

We will start this practice with our attacker machine, we will be running Metasploit Framework. After opening it we will use the web_delivery Exploit as shown in the image given below.

Here we choose the target 3 (Regsvr32) as it will generate a small command that can be executed to get the meterpreter session.

We set the attacker machine’s IP Address as localhost address and we run it. It works for a bit and gives us the regsvr32 command that will give us access to the target machine.

On the Target Machine, there is a holdup. BITSAdmin is programmed to run the command only on completion of the download. So, we will be needing to download something. It can be anything that seems harmful. As BITSAdmin is designed to download the Windows Updates, we can use its file as well. Here we will be using a harmless png image file.

After adding the file, we will move on the /SetNotifyCmdLine. Here we will modify the command that was created using web_delivery in such a way that regsvr32.exe creates the session from the target machine to attacker machine.

Finally, we resume the BITSAdmin to get this working.

As shown in the screenshot given below, we grab a meterpreter session from the Target Machine as soon as the command gets executed.

This was a stealthy method as there is no file associated with the session we obtained. But this can get stealthier using the right techniques.

Practical #7: Compromising with Malicious Executable inside ADS

In the previous article of this series, we introduced Alternative Data Stream. So, without going into details about the Alternative Data Stream, let’s compromise the target machine with a payload concealed in the Alternative Data Steam.

We will create a malicious executable payload using msfvenom as we did in Practical #5, as it is the same method, we are not showing it again here.

After creating the payload and starting the listener, we will move to our target machine.

Here, we created a BITS job named hackingarticles using the /create switch.

After creating the job, we will add the file to download using BITSAdmin’s /addfile switch.

After adding the payload successfully, we use the next switch /SetNotifyCmdLine to read the contents of the payload which will be downloaded and transfer to the alternative data stream of a file.txt.

Keeping this configuration, we start the download using the /resume switch.

Here, we list the C:\file.txt contents to find that out payload.exe has successfully being transferred into the ADS of this file.

Now to execute the file that we put in the ADS; we will be using wmic. We will use the create switch followed by the path of the payload as shown in the image.

It says that the Execution was successful.

We went back to our Attacker Machine to see that a meterpreter instance is generated and captured by our listener. We run sysinfo to see the details of the Target System.

Practical #8: Persistence using BITSAdmin

Persistence, it means that the exploited session will be available to you even after the target machine restarts. Let’s see how to achieve this using BITSAdmin.

We will create a malicious executable payload using msfvenom as we did in Practical #5, as it is the same method, we are not showing it again here.

After creating the payload and starting the listener, we will move to our target machine.

Here, we created a BITS job named hackingarticles using the /create switch.

After creating the job, we will add the file to download using BITSAdmin’s /addfile switch.

After adding the payload successfully, we use the next switch /SetNotifyCmdLine to execute the payload. This is done with the help of an action that we scripted. First, it will start the cmd.exe and then it will complete the download and then it will execute the said command in the background.

After this, we use another switch /SetMinRetryDelay. It is used to set the minimum length of time, in seconds, that BITS wait after facing a transient error before trying to transfer the file. Here, if payload that we download gets stuck in a transient error, which is a temporary error. BITS is designed to run continuously if an error of such kind occurs. So, if our download is completed but due to the transient error was not able to execute properly, this switch will make it retry after 120 seconds.

That’s was simply setting up an exploit to gain a session. Now we need to work on it to be a persistence method.  But the BITS can get into an error state and keep the payload in a temporary state without completing the download and in turn stopping the execution of the payload. To solve this issue, we will use schtasks to resume our job at a specific time again and again. This will allow the payload to persist irrespective of any kind of issue.

The /resume switch in the schtasks will restart the BITS job when if, it enters an error state. Using a schedule modifier task (/mo) to make the task gets reactivated every (60, in this case) minute. The BITSAdmin redownloads the payload in case of an error and schtasks take care of the execution of the payload on an event of a reboot of the machine.

We went back to our Attacker Machine to see that a meterpreter instance is generated and captured by our listener. We run sysinfo to see the details of the Target System. In case of failure, we will have to restart the listener with the same configuration and we will have the session again in no time.

Please, note this is a limited demo. In the real-life scenarios, we suggest that rename the payload file to look like a Windows Update and perform all these tasks in the ‘%Temp%’ directory for obvious reasons. We also recommend that we modify the schtasks to delete the task after a particular time with removing the presence by deleting the logs related to this intrusion.

Detection     

Before the official introduction of BITSAdmin in the Windows Defender Real-time Scan, it was quite difficult to detect BITS Transfers. Apart from scanning through logs, there wasn’t any other method. Monitoring the logs for the usage of the BITSAdmin tool (especially the ‘Transfer’, ‘Create’, ‘AddFile’, ‘SetNotifyFlags’, ‘SetNotifyCmdLine’, ‘SetMinRetryDelay’, ‘SetCustomHeaders’, and ‘Resume’ switches) Actually, there is a way to gain the information about the transfers. It is through the QMGR Database.

SC Query

BITSAdmin is deployed as a service. Hence its status can be checked with the SC Query Utility.

This will show if there is an instance of any BITS Transfer Running or not.

QMGR Database

It is an abbreviated form of the Queue Manager Database. This is a record of all the BITS Jobs. There are 2 types of files generated in this database record. A .dat file and a .db file. This database file can be found at this location

We traversed to the said location using the dir command to find ourselves a qmgr.db file. We tried opening the file but it was hex-encoded.

So, we used a Hex-Editor Online tool. Here we scanned through the data and found that we have the IP Address of the file being Downloaded with its path. We followed the complete path and it gives us the temporary file that was downloaded before the /complete switch was used.

It is to be noted that the BITS Jobs will not be shown in autoruns as there is not any way to run BITSAdmin on start-up with Default Configurations.

Verbose Switch

If we are lucky enough to find the BITSAdmin in the act, we can get our hands some very useful information. We ran a BITS Job and ran the following command to gain information about the job.

Event Logs

We have the Windows Event logs which Focuses on the default event logs, it is one of the sources for detection of any download. It is known as the Microsoft-Windows-BITS-Client/Operational log. These logs contain the download state, download source, user and some file information for each BITS transfer job. This event log is strikingly similar across Windows 7 through 10 so it is a good endpoint collection source. There are some limitations here as these logs don’t show the sparse data, as well as the logs, are spread over several EventIDs. Potentially a huge amount of entries in any environment makes it impossible to spot malicious download hiding in plain sight. This log will also not detect the BITS persistence unless there was a network transfer to a suspicious domain as part of the configured job.

This Log can be monitored on the Event Viewer at this Location:

Application and Services Logs > Microsoft > Windows > BITS-Client

Mitigation

Our recommendation for mitigating BITSAdmin is to modify network and/or host firewall rules, as well as other network controls, to only allow legitimate BITS traffic. We can also reduce the default BITS job lifetime in Group Policy or by editing the “JobInactivityTimeout” and “MaxDownloadTime” Registry values in HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\BITS The default maximum lifetime for a BITS job is 90 days, but that can be modified. Lastly, we can limit the access of the BITSAdmin interface to specific users or groups.

Conclusion

This kind of attack is very much happening in real life. There have been multiple incidents targeted to different office environments where the malicious file was detected and deleted but was revived again using BITSAdmin. A special shout out to Oddvar Moe for his help in some tinkering. It was a fun learning experience working with BITSAdmin. We are going to write more articles about other LOLS that we could find. Stay Tuned.

BITSAdmin Operations                   Persistence using BITS    

Living Off Land binaries                  BITSAdmin

Author: Pavandeep Singh is a Technical Writer, Researcher and Penetration Tester. Can be Contacted on Twitter and LinkedIn