Enes Arda Baydaş

LOLBin C2 Beaconing via BITS Jobs

latest post: [Click to go]

4 min read

Threat Hunt Report: LOLBin C2 Beaconing via BITS Jobs

Date: 2026-03-11

Analyst: Enes Arda Baydaş

Platform: Elastic SIEM (Kibana) & TryHackMe

MITRE ATT&CK: T1197, T1105, T1071.001

flowchart LR
classDef input fill:#4A90D9,color:#fff
classDef process fill:#6B7280,color:#fff
classDef decision fill:#F59E0B,color:#fff
classDef output fill:#10B981,color:#fff

subgraph Detection
I1([IDS Alert Outbound HTTP])
P1[Filter Logs In Kibana]
P2[Analyze User Agent Frequency]
end

subgraph Investigation
D1{Is Activity Authorized}
O1[[Mark False Positive]]
P3[Identify bitsadmin Command Channel]
end

subgraph Containment
P4[Isolate Compromised Host]
P5[Preserve Forensic Image]
P6[Block Pastebin Domain]
end

subgraph Follow Up
O2[[Review Auth Logs]]
O3[[Investigate Initial Access]]
end

I1 --> P1
P1 --> P2
P2 --> D1
D1 -->|Yes| O1
D1 -->|No| P3
P3 --> P4
P4 --> P5
P5 --> P6
P6 --> O2
P6 --> O3

class I1 input
class P1,P2,P3,P4,P5,P6 process
class D1 decision
class O1,O2,O3 output

Executive Summary

An IDS signature flagged anomalous outbound HTTP traffic originating from an HR workstation (192.168.x.x) Analysis of HTTP connection logs in Kibana confirmed the host used bitsadmin.exe (a native Windows binary) to retrieve a payload from pastebin.com. The attack bypasses perimeter defenses by abusing a trusted OS utility and a whitelisted public domain. Initial access vector remains unresolved and is flagged as an open investigative thread.

Risk: High. LOLBin-based C2 evades signature detection and AV. Pastebin’s reputation prevents firewall blocking in most default configurations. Dwell time and lateral movement scope are unknown pending forensic triage.

Findings

IOC TypeValueContext
Source IP192.168.x.xCompromised HR workstation
C2 Domainpastebin.comLegitimate service abused for payload hosting
Malicious URLhttp://pastebin.com/x.xPayload staging URI
User-AgentbitsadminLOLBin abused for outbound retrieval (T1197)
PayloadExtracted from Pastebin URIPending sandboxed analysis

Detection Gap Summary

GapImpactFix
No user_agent anomaly alertingLOLBin activity was invisible until manual huntSIEM correlation rule on non-browser user agents
bitsadmin executable unrestricted for standard usersThreat actor had access to a persistent, low-noise delivery toolAppLocker / WDAC policy
No outbound egress filtering on workstationsArbitrary C2 destinations reachable without restrictionOutbound allowlist + proxy enforcement
Pastebin treated as trusted in firewall configPayload staging on a whitelisted domain bypassed perimeter controlsCategory-based blocking + TLS inspection for cloud storage / paste services
Initial access vector unknownRemediation is containment only; reinfection risk unquantifiedPhishing log review, endpoint forensics, email gateway audit

Detection

Signal

IDS triggered on anomalous outbound HTTP from the HR subnet. Full packet capture was unavailable; triage was limited to HTTP connection log metadata in Kibana.

Analysis

Standard environmental traffic (Windows Update, Google, Adobe telemetry) was filtered from the connection_logs index to reduce noise and surface anomalies.

Pasted image 20260301152109

Frequency analysis of the user_agent field produced the decisive signal: bitsadmin appeared in 0.4% of traffic (2 log entries) against a baseline of 99.6% standard Mozilla/5.0 variants. No administrative change request or authorized task accounted for this activity.

Ekran görüntüsü 2026-03-01 143601

Filtering on user_agent: bitsadmin isolated two GET requests from 192.168.x.x to pastebin.com/x.x.

Pasted image 20260301152020

Why This Matters

bitsadmin.exe is a signed Microsoft binary present on all Windows hosts (XP onward). Its BITS service operates asynchronously and survives reboots, making it effective for persistent, low-noise retrieval. Outbound BITS traffic is often excluded from EDR detections due to its OS-level legitimacy. Staging payloads on Pastebin exploits the domain’s trusted reputation in firewall allowlists.

MITRE ATT&CK Mapping:

TechniqueIDObserved Behavior
BITS JobsT1197bitsadmin used as HTTP client for C2 retrieval
Ingress Tool TransferT1105Remote payload fetched from external staging URI
Application Layer Protocol: Web ProtocolsT1071.001C2 communication over standard HTTP on port 80

Containment & Remediation

Immediate

  1. Isolate 192.168.x.x from the network segment. Prevent potential lateral movement before forensics are complete.
  2. Preserve a full forensic image (memory + disk) of the host. Memory capture is time-critical for recovering injected payloads or BITS job queue artifacts.
  3. Review authentication logs for user’s account across all systems for the 72-hour window preceding the alert.
  4. Block pastebin.com at the perimeter firewall and proxy until the incident is closed. Assess collateral impact on business operations before making the block permanent.

Note on Redacted Data

The Source IP and the Pastebin URI were redacted in this report. These represent the solutions to specific tasks on the TryHackMe lab.