C# reverse shell using Background Intelligent Transfer Service (BITS) as communication protocol and syscalls for EDR user-mode hooking

From github.com

OLBITS is a C# reverse shell that uses Microsoft’s Background Intelligent Transfer Service (BITS) to communicate with the Command and Control backend. The Command and Control backend is hidden behind an apparently harmless flask web application and it’s only accesible when the HTTP requests received by the app contain a valid authentication header.

LOLBITS is composed of 3 main elements:

  • The C# agent that is in charge of executing the commands in the compromised host, sending back the output to the C&C server once the process is done.
  • The flask web application that acts as a dispatcher. This element is the one that allows to hide the C&C infrastructure behind a harmless website at the same time that supplies the new commands to the agent when an authenticated request is received.
  • The C&C console, used to control the agent.

Read more…