In this lab, we explore the tactics and techniques employed by adversaries to exploit legitimate Windows services for malicious purposes. Specifically, the focus is on the misuse of the Background Intelligent Transfer Service (BITS), a low-bandwidth, asynchronous file transfer mechanism commonly used by Windows applications for background updates and data synchronization. While BITS is essential for many legitimate processes, it is also a known target for attackers seeking to establish persistent backdoors, evade detection, and maintain command and control over compromised systems.
The scenario begins with multiple alerts from Microsoft Defender Antivirus indicating the presence of malicious files on an employee's workstation. As the incident responder, your objective is to use Splunk to investigate these alerts, analyze system logs, and uncover the techniques used by the attacker. This investigation involves examining Windows Event Logs, focusing on events related to malware detections, scheduled task creation, and suspicious process executions. By correlating these events, you will piece together the attack chain, identify the tools and frameworks leveraged by the attacker, and understand how they achieved persistence on the compromised machine.
Throughout the lab, you will delve into MITRE ATT&CK technique T1197, which highlights the abuse of BITS jobs for malicious purposes. This hands-on analysis will guide you through identifying key indicators of compromise (IOCs), understanding the role of Living Off the Land Binaries and Scripts (LOLBAS), and interpreting the relationships between parent and child processes to trace the attacker’s movements within the system.