# BITS (IN PROGRESS) ## Scenario > Using BitsParser from FireEye to retrieve BITS jobs, can you help the SOC identify persistence actions conducted on a compromised host? **Read the "READ ME!.txt" file in the Investigation folder on the Desktop.** \ > \ > **Reading Material:**\ > [FireEye Blog Post](https://www.mandiant.com/resources/attacker-use-of-windows-background-intelligent-transfer-service)\ > [BitsParser GitHub Page](https://github.com/fireeye/BitsParser) BITS is a living off-the-land binary that is used by software such as web browsers to periodically download updates. It can however be abused for lateral movement, tool deployment, and persistence. To start this lab we will refer to the BitsParser GitHub Page for documentation on how to use it. {% hint style="info" %} BitsParser is a Python 3 script that can parse Windows Background Intelligent Transfer Service database files and extract job and file information. It supports both the original custom database format as well as the ESE database format used on Windows 10 systems. {% endhint %} I also opened up the Investigation folder on the desktop and found a `READ ME!` file. This file contains information relevant to the lab, including what BITS as well as some key points relating to BITS. We will be using an administrator-level Command Prompt since to execute BitsParser.py, you need administrator privileges. To do this we right click the cmd file and select Run as Administrator Before the BitsParser is able to retrieve the BITS jobs, the BITS service that is currently running needs to be stopped. To do this we can launch the Task Manager by simply right clicking the taskbar and selecting Task Manager. Open the Services tab and located the BITS service, which we can see is running under the netscvs group. Right click it and click Stop. ![](/files/6j60rNHmOHbqPr7HRFpT) We will now be using the cmd (Remember to run as an administrator). Use the command cd to change the directory to the directory containing the BitsParser python script. Run the following command: `cd C:\Users\BTLOTest\Desktop\Investigation\BitsParser-master` Entering the `dir` command shows the contents of the BitsParser-master folder. Here we can see the `BitsParser.py` python script. To run this script, enter this command in to the cmd: `python BitsParser.py --carveall > output.txt` The `--carveall` flag will provide more information. The script is also known to not properly output the results when using their `-o filename` flag, this is why we used `> output.txt` instead. ### Questions {% hint style="info" %} Question 1) A popular GitHub Repo for Windows privilege escalation is WinPEAS. Can you find any file downloads for winPEAS.bat in the BitsParser output? What is the associated job name? (Format: BITSJobName)*(3 points)* 💡Answer: **privesctools** {% endhint %} After the command is done running, open the `output.txt` file which should be in same folder as the python script we just ran. You can also open it using cmd by entering the command `"output.txt"`, be sure to include the quotation marks. Here we can see different jobs were carved, we are looking for the job associated with winPEAS.bat, press `ctrl+f` and type in `winPEAS.bat` ![](/files/I8oVxHYmGMSF05hkddII) Here we can see winPEAS.bat was downloaded, we know this because by looking at the "`JobType"`, we can see the value is "`download"`. We also see `"JobName": "privesctools"`, there is our answer! {% hint style="info" %} Question 2) What is the Creation Time of this job? (Format: YYYY-MM-DDTHH:MM:SSZ)*(3 points)* *��*Answer: **2022-01-07T13:32:19Z** {% endhint %} To get this answer, we are still using the previous text file `output.txt` scroll down below and you will find the `"CreationTime": "2022-01-07T13:32:19Z"`field which gives us our answer. ![](/files/ruEKQKLOsO35oTAmskpv) {% hint style="info" %} Question 3) BITS can be used to download files from other systems. What is the IP address that originally hosted the file downloaded to the victim machine? (Format: X.X.X.X)*(3 points)* *��*Answer: **10.0.12.228** {% endhint %} To solve this question, the same output.txt file was used, the IP address that originally hosted the file downloaded to the victim machine can be found by looking at the `"SourceURL"` field, this field identifies the source the file **winPEAS.bat** was requested from, the source being **"10.0.12.228"** ![](/files/dfvcha7DPV7cQCD0hmXS) {% hint style="info" %} Question 4) What is the folder and filename used when this file was downloaded to the victim machine? (Format: \\\folder\\\file.extension)*(3 points)* *��*Answer: **\\\Music\\\winPEAS.bat** {% endhint %} Using the same output.txt file, this question is fairly easy and can be found by looking at the `"DestFile"` field above the `"SourceURL"` field from the previous question. {% hint style="info" %} Question 5) Is there any evidence of other files that include the string "winPEAS"? What is the original filename? Make sure the DownloadByteSize or TransferByteSize is greater than 0 to identify a successful download/transfer. (Format: filename.extension)*(4 points)* *��*Answer: **winPEASx64.exe** {% endhint %} To solve this question, since it's asking for evidence of other files that contain the string "winPEAS", all i did was use the search function to look for instances of "winPEAS" in the output.txt file. {% hint style="info" %} Question 6) What is the folder and filename used when this second file was downloaded to the victim machine? (Format: \\\folder\\\file.extension)*(3 points)* Answer: **\\\Music\\\WindowsUpdater.exe** {% endhint %} To solve this question, we used to same step as question number four. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://writeups.cavel-security.com/readme-1/bits-in-progress.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.