bitsadmin.exe

File Path: C:\Windows\system32\bitsadmin.exe
Description: BITS administration utility

Hashes

Type	Hash
MD5	`5CD8838F1E275B0C8EADF4B755C04E4F`
SHA1	`5DEB6EC7BB9BD0C85BBE91CBFD92BDC774FE5F8A`
SHA256	`03C7E317E277BBD6C9C1159F8718A9D302E6F78E0D80C09D52A994B7598C0F30`
SHA384	`781A5959CE3FBD7CA3BB37181ACC90998E249DF75D095C1D7122EEA857571C7EF036E9C670B974942AC78C632D6BB46A`
SHA512	`0620F52E3321FDF398326B36C7477E647CBD2A5D5CACB549088284D75E5539A570FA967D9C6B6E4ADE19C2AB7E845960929AE87D99A6F080B3C844FA19063880`
SSDEEP	`3072:3m6xtJckj/dV6l5LOufzzkyVRj56+YKsdZetQUC6kIvDg/0jok:3m6xEElM5LOWz4yVRkUL1o`
IMP	`B0A3CFF8CFDE112945189719F82F9EA9`
PESHA1	`1294B399E2E7921303B6FE4F76879B36A80D276F`
PE256	`2103AE898B3D5E5FE18F51ACC366B5C43F3102825D60F4CEBFF7CE5A00F236F1`

Runtime Data

Usage (stdout):

BITSADMIN version 3.0
BITS administration utility.
(C) Copyright Microsoft Corp.

Invalid command
USAGE: BITSADMIN [/RAWRETURN] [/WRAP | /NOWRAP] command
The following commands are available:

/HELP           Prints this help 
/?              Prints this help 
/UTIL /?        Prints the list of utilities commands 
/PEERCACHING /?   Prints the list of commands to manage Peercaching
/CACHE /?       Prints the list of cache management commands 
/PEERS /?       Prints the list of peer management commands

/LIST    [/ALLUSERS] [/VERBOSE]     List the jobs
/MONITOR [/ALLUSERS] [/REFRESH sec] Monitors the copy manager
/RESET   [/ALLUSERS]                Deletes all jobs in the manager

/TRANSFER <job name> [type] [/PRIORITY priority] [/ACLFLAGS flags] [/DYNAMIC] 
          remote_url local_name
    Transfers one of more files.
    [type] may be /DOWNLOAD or /UPLOAD; default is download
    Multiple URL/file pairs may be specified.
    Unlike most commands, <job name> may only be a name and not a GUID.
    /DYNAMIC configures the job with BITS_JOB_PROPERTY_DYNAMIC_CONTENT, which relaxes the server-side requirements.

/CREATE [type] <job name>               Creates a job
    [type] may be /DOWNLOAD, /UPLOAD, or /UPLOAD-REPLY; default is download
    Unlike most commands, <job name> may only be a name and not a GUID.

/INFO <job> [/VERBOSE]                   Displays information about the job
/ADDFILE <job> <remote_url> <local_name> Adds a file to the job
/ADDFILESET <job> <textfile>             Adds multiple files to the job
   Each line of <textfile> lists a file's remote name and local name, separated
   by spaces.  A line beginning with '#' is treated as a comment.
   Once the file set is read into memory, the contents are added to the job.

/ADDFILEWITHRANGES  <job> <remote_url> <local_name range_list>
   Like /ADDFILE, but BITS will read only selected byte ranges of the URL.
   range_list is a comma-delimited series of offset and length pairs.
   For example,

       0:100,2000:100,5000:eof

   instructs BITS to read 100 bytes starting at offset zero, 100 bytes starting
   at offset 2000, and the remainder of the URL starting at offset 5000.

/REPLACEREMOTEPREFIX <job> <old_prefix> <new_prefix>
    All files whose URL begins with <old_prefix> are changed to use <new_prefix>

Note that BITS currently supports HTTP/HTTPS downloads and uploads.
It also supports UNC paths and file:// paths as URLS

/LISTFILES <job>                     Lists the files in the job
/SUSPEND <job>                       Suspends the job
/RESUME <job>                        Resumes the job
/CANCEL <job>                        Cancels the job
/COMPLETE <job>                      Completes the job

/GETTYPE <job>                       Retrieves the job type
/GETACLFLAGS <job>                   Retrieves the ACL propagation flags

/SETACLFLAGS <job> <ACL_flags>       Sets the ACL propagation flags for the job
  O - OWNER       G - GROUP 
  D - DACL        S - SACL  

  Examples:
      bitsadmin /setaclflags MyJob OGDS
      bitsadmin /setaclflags MyJob OGD

/GETBYTESTOTAL <job>                 Retrieves the size of the job
/GETBYTESTRANSFERRED <job>           Retrieves the number of bytes transferred
/GETFILESTOTAL <job>                 Retrieves the number of files in the job
/GETFILESTRANSFERRED <job>           Retrieves the number of files transferred
/GETCREATIONTIME <job>               Retrieves the job creation time
/GETMODIFICATIONTIME <job>           Retrieves the job modification time
/GETCOMPLETIONTIME <job>             Retrieves the job completion time
/GETSTATE <job>                      Retrieves the job state
/GETERROR <job>                      Retrieves detailed error information
/GETOWNER <job>                      Retrieves the job owner
/GETDISPLAYNAME <job>                Retrieves the job display name
/SETDISPLAYNAME <job> <display_name> Sets the job display name
/GETDESCRIPTION <job>                Retrieves the job description
/SETDESCRIPTION <job> <description>  Sets the job description
/GETPRIORITY    <job>                Retrieves the job priority
/SETPRIORITY    <job> <priority>     Sets the job priority
   Priority usage choices:
      FOREGROUND 
      HIGH
      NORMAL
      LOW
/GETNOTIFYFLAGS <job>                 Retrieves the notify flags
/SETNOTIFYFLAGS <job> <notify_flags>  Sets the notify flags
    For more help on this option, please refer to the MSDN help page for SetNotifyFlags/GETNOTIFYINTERFACE <job>             Determines if notify interface is registered
/GETMINRETRYDELAY <job>               Retrieves the retry delay in seconds
/SETMINRETRYDELAY <job> <retry_delay> Sets the retry delay in seconds
/GETNOPROGRESSTIMEOUT <job>           Retrieves the no progress timeout in seconds
/SETNOPROGRESSTIMEOUT <job> <timeout> Sets the no progress timeout in seconds
/GETMAXDOWNLOADTIME <job>             Retrieves the download timeout in seconds
/SETMAXDOWNLOADTIME <job> <timeout>   Sets the download timeout in seconds
/GETERRORCOUNT <job>                  Retrieves an error count for the job

/SETPROXYSETTINGS <job> <usage>      Sets the proxy usage
   usage choices:
    PRECONFIG   - Use the owner's default Internet settings.
    AUTODETECT  - Force autodetection of proxy.
    NO_PROXY    - Do not use a proxy server.
    OVERRIDE    - Use an explicit proxy list and bypass list. 
                  Must be followed by a proxy list and a proxy bypass list.
                  NULL or "" may be used for an empty proxy bypass list.
  Examples:
      bitsadmin /setproxysettings MyJob PRECONFIG
      bitsadmin /setproxysettings MyJob AUTODETECT
      bitsadmin /setproxysettings MyJob NO_PROXY
      bitsadmin /setproxysettings MyJob OVERRIDE proxy1:80 "<local>" 
      bitsadmin /setproxysettings MyJob OVERRIDE proxy1,proxy2,proxy3 NULL 

/GETPROXYUSAGE <job>                 Retrieves the proxy usage setting
/GETPROXYLIST <job>                  Retrieves the proxy list
/GETPROXYBYPASSLIST <job>            Retrieves the proxy bypass list

/TAKEOWNERSHIP <job>                 Take ownership of the job

/SETNOTIFYCMDLINE <job> <program_name> [program_parameters] 
    Sets a program to execute for notification, and optionally parameters.
    The program name and parameters can be NULL.
    IMPORTANT: if parameters are non-NULL, then the program name should be the
               first parameter.

  Examples:
    bitsadmin /SetNotifyCmdLine MyJob c:\winnt\system32\notepad.exe  NULL
    bitsadmin /SetNotifyCmdLine MyJob c:\callback.exe "c:\callback.exe parm1 parm2" 
    bitsadmin /SetNotifyCmdLine MyJob NULL NULL

/GETNOTIFYCMDLINE <job>              Returns the job's notification command line

/SETCREDENTIALS <job> <target> <scheme> <username> <password>
  Adds credentials to a job.
  <target> may be either SERVER or PROXY
  <scheme> may be BASIC, DIGEST, NTLM, NEGOTIATE, or PASSPORT. 

/REMOVECREDENTIALS <job> <target> <scheme> 
  Removes credentials from a job.
/GETCUSTOMHEADERS <job>                           Gets the Custom HTTP Headers
/SETCUSTOMHEADERS <job> <header1> <header2> <...> Sets the Custom HTTP Headers

/GETHTTPMETHOD <job>                           Gets the HTTP verb to use.
/SETHTTPMETHOD <job> <HTTPMethod>              Sets the HTTP verb to use.

/GETCLIENTCERTIFICATE <job>                       Gets the job's Client Certificate Information
/SETCLIENTCERTIFICATEBYID <job> <store_location> <store_name> <hexa-decimal_cert_id>
  Sets a client authentication certificate to a job.
  <store_location> may be 
	1(CURRENT_USER), 2(LOCAL_MACHINE), 3(CURRENT_SERVICE),
	4(SERVICES), 5(USERS), 6(CURRENT_USER_GROUP_POLICY),
	7(LOCAL_MACHINE_GROUP_POLICY) or 8(LOCAL_MACHINE_ENTERPRISE). 

/SETCLIENTCERTIFICATEBYNAME <job> <store_location> <store_name> <subject_name>
  Sets a client authentication certificate to a job.
  <store_location> may be 
	1(CURRENT_USER), 2(LOCAL_MACHINE), 3(CURRENT_SERVICE),
	4(SERVICES), 5(USERS), 6(CURRENT_USER_GROUP_POLICY),
	7(LOCAL_MACHINE_GROUP_POLICY) or 8(LOCAL_MACHINE_ENTERPRISE). 

/REMOVECLIENTCERTIFICATE <job>                Removes the Client Certificate Information from the job

/SETSECURITYFLAGS <job> <value>   
   Sets the HTTP security flags for URL redirection and checks performed on the server certificate during the transfer.
   The value is an unsigned integer with the following interpretation for the bits in the binary representation.
     Enable CRL Check                                 : Set the least significant bit
     Ignore invalid common name in server certificate : Set the 2nd bit from right
     Ignore invalid date in  server certificate       : Set the 3rd bit from right
     Ignore invalid certificate authority in server
       certificate                                    : Set the 4th bit from right
     Ignore invalid usage of certificate              : Set the 5th bit from right
     Redirection policy                               : Controlled by the 9th-11th bits from right
         0,0,0  - Redirects will be automatically allowed.
         0,0,1  - Remote name in the IBackgroundCopyFile interface will be updated if a redirect occurs.
         0,1,0  - BITS will fail the job if a redirect occurs.

     Allow redirection from HTTPS to HTTP             : Set the 12th bit from right

/GETSECURITYFLAGS <job>   
   Reports the HTTP security flags for URL redirection and checks performed on the server certificate during the transfer.

/SETVALIDATIONSTATE  <job>  <file-index> <true|false>
      <file-index> starts from 0          
    Sets the content-validation state of the given file within the job.

/GETVALIDATIONSTATE  <job>  <file-index>  
      <file-index> starts from 0          
    Reports the content-validation state of the given file within the job.

/GETTEMPORARYNAME  <job>  <file-index>  
      <file-index> starts from 0          
    Reports the temporary filename of the given file within the job.

The following options control peercaching of a particular job:

/SETPEERCACHINGFLAGS  <job> <value>   
    Sets the flags for the job's peercaching behavior.
    The value is an unsigned integer with the following interpretation for the bits in the binary representation.
        Allow the job's data to be downloaded from a peer : Set the least significant bit
        Allow the job's data to be served to peers        : Set the 2nd bit from right

/GETPEERCACHINGFLAGS  <job>               
    Reports the flags for the job's peercaching behavior.

The following options are valid for UPLOAD-REPLY jobs only:

/GETREPLYFILENAME <job>        Gets the path of the file containing the server reply
/SETREPLYFILENAME <job> <path> Sets the path of the file containing the server reply
/GETREPLYPROGRESS <job>        Gets the size and progress of the server reply
/GETREPLYDATA     <job>        Dumps the server's reply data in hex format

/SETHELPERTOKEN <job>          Sets the current command prompt's primary token as a job's helper token
/GETHELPERTOKENSID <job>       Reports the user account SID of a job's helper token, if one is set

/SETHELPERTOKENFLAGS <job> <flags> 
    Sets the helper token usage flags for a job. Possible values are:
        1 - The helper token is used when accessing the local filesystem.
        2 - The helper token is used when accessing the network.
        3 - The helper token is used when accessing both the local filesystem and the network.

/GETHELPERTOKENFLAGS <job> 
    Reports a job's helper token usage flags.

/GETPEERSTATS <job> <file-index> 
    <file-index> starts from 0 
    Reports statistics about the amount of data downloaded from peers and origin servers for a specific file within a job.

The following options can be placed before the command:
/RAWRETURN                     Return data more suitable for parsing
/WRAP                          Wrap output around console (default)
/NOWRAP                        Don't wrap output around console

The /RAWRETURN option strips new line characters and formatting.
It is recognized by the /CREATE and /GET* commands.

Commands that take a <job> parameter will accept either a job name or a job ID
GUID inside braces.  BITSADMIN reports an error if a name is ambiguous.

Loaded Modules:

Path
C:\Windows\System32\bcryptPrimitives.dll
C:\Windows\system32\bitsadmin.exe
C:\Windows\System32\combase.dll
C:\Windows\System32\GDI32.dll
C:\Windows\System32\gdi32full.dll
C:\Windows\System32\IMM32.DLL
C:\Windows\System32\kernel.appcore.dll
C:\Windows\System32\KERNEL32.DLL
C:\Windows\System32\KERNELBASE.dll
C:\Windows\System32\msvcp_win.dll
C:\Windows\System32\msvcrt.dll
C:\Windows\SYSTEM32\ntdll.dll
C:\Windows\System32\RPCRT4.dll
C:\Windows\System32\sechost.dll
C:\Windows\system32\SspiCli.dll
C:\Windows\System32\ucrtbase.dll
C:\Windows\System32\user32.dll
C:\Windows\system32\uxtheme.dll
C:\Windows\System32\win32u.dll

Signature

Status: Signature verified.
Serial: 33000001C422B2F79B793DACB20000000001C4
Thumbprint: AE9C1AE54763822EEC42474983D8B635116C8452
Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

Original Filename: bitsadmin.exe.mui
Product Name: Microsoft Windows Operating System
Company Name: Microsoft Corporation
File Version: 7.8.17763.1 (WinBuild.160101.0800)
Product Version: 7.8.17763.1
Language: English (United States)
Legal Copyright: Microsoft Corporation. All rights reserved.
Machine Type: 64-bit

File Scan

VirusTotal Detections: 0/71
VirusTotal Link: https://www.virustotal.com/gui/file/03c7e317e277bbd6c9c1159f8718a9d302e6f78e0d80c09d52a994b7598c0f30/detection/

Possible Misuse

The following table contains possible examples of bitsadmin.exe being misused. While bitsadmin.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source	Source File	Example	License
sigma	proxy_ua_bitsadmin_susp_tld.yml	`title: Bitsadmin to Uncommon TLD`	DRL 1.0
sigma	proxy_ua_bitsadmin_susp_tld.yml	`description: Detects Bitsadmin connections to domains with uncommon TLDs - https://twitter.com/jhencinski/status/1102695118455349248 - https://isc.sans.edu/forums/diary/Investigating+Microsoft+BITS+Activity/23281/`	DRL 1.0
sigma	proxy_ua_bitsadmin_susp_tld.yml	`- Rare programs that use Bitsadmin and update from regional TLDs e.g. .uk or .ca`	DRL 1.0
sigma	win_bits_client_susp_use_bitsadmin.yml	`title: Suspicious Task Added by Bitsadmin`	DRL 1.0
sigma	win_bits_client_susp_use_bitsadmin.yml	`processPath\\|endswith: '\bitsadmin.exe'`	DRL 1.0
sigma	proc_creation_win_apt_greenbug_may20.yml	`- 'bitsadmin'`	DRL 1.0
sigma	proc_creation_win_bitsadmin_download.yml	`title: Bitsadmin Download`	DRL 1.0
sigma	proc_creation_win_bitsadmin_download.yml	`description: Detects usage of bitsadmin downloading a file`	DRL 1.0
sigma	proc_creation_win_bitsadmin_download.yml	`- https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin`	DRL 1.0
sigma	proc_creation_win_bitsadmin_download.yml	`- https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/`	DRL 1.0
sigma	proc_creation_win_bitsadmin_download.yml	`- '\bitsadmin.exe'`	DRL 1.0
sigma	proc_creation_win_bitsadmin_download.yml	`- 'copy bitsadmin.exe'`	DRL 1.0
sigma	proc_creation_win_exploit_cve_2020_10189.yml	`- '\bitsadmin.exe'`	DRL 1.0
sigma	proc_creation_win_mmc_spawn_shell.yml	`- '\BITSADMIN'`	DRL 1.0
sigma	proc_creation_win_monitoring_for_persistence_via_bits.yml	`CommandLine\\|re: '(?i).bitsadmin.\/SetNotifyCmdLine.(%COMSPEC%\\|cmd.exe\\|regsvr32.exe).'`	DRL 1.0
sigma	proc_creation_win_monitoring_for_persistence_via_bits.yml	`CommandLine\\|re: '(?i).bitsadmin.\/Addfile.(http\\|https\\|ftp\\|ftps):.'`	DRL 1.0
sigma	proc_creation_win_mshta_spawn_shell.yml	`- '\BITSADMIN'`	DRL 1.0
sigma	proc_creation_win_powershell_bitsjob.yml	`title: Suspicious Bitsadmin Job via PowerShell`	DRL 1.0
sigma	proc_creation_win_public_folder_parent.yml	`- 'bitsadmin'`	DRL 1.0
sigma	proc_creation_win_shell_spawn_susp_program.yml	`- '\bitsadmin.exe'`	DRL 1.0
sigma	proc_creation_win_susp_shell_spawn_by_java.yml	`- '\bitsadmin.exe'`	DRL 1.0
sigma	proc_creation_win_susp_shell_spawn_by_java_keytool.yml	`- '\bitsadmin.exe'`	DRL 1.0
sigma	proc_creation_win_susp_shell_spawn_from_mssql.yml	`- '\bitsadmin.exe'`	DRL 1.0
sigma	proc_creation_win_susp_shell_spawn_from_winrm.yml	`- '*\bitsadmin.exe'`	DRL 1.0
sigma	proc_creation_win_susp_spoolsv_child_processes.yml	`- \bitsadmin.exe`	DRL 1.0
sigma	proc_creation_win_webshell_spawn.yml	`- '\bitsadmin.exe'`	DRL 1.0
LOLBAS	Bitsadmin.yml	`Name: Bitsadmin.exe`
LOLBAS	Bitsadmin.yml	`- Command: bitsadmin /create 1 bitsadmin /addfile 1 c:\windows\system32\cmd.exe c:\data\playfolder\cmd.exe bitsadmin /SetNotifyCmdLine 1 c:\data\playfolder\1.txt:cmd.exe NULL bitsadmin /RESUME 1 bitsadmin /complete 1`
LOLBAS	Bitsadmin.yml	`Description: Create a bitsadmin job named 1, add cmd.exe to the job, configure the job to run the target command from an Alternate data stream, then resume and complete the job.`
LOLBAS	Bitsadmin.yml	`- Command: bitsadmin /create 1 bitsadmin /addfile 1 https://live.sysinternals.com/autoruns.exe c:\data\playfolder\autoruns.exe bitsadmin /RESUME 1 bitsadmin /complete 1`
LOLBAS	Bitsadmin.yml	`Description: Create a bitsadmin job named 1, add cmd.exe to the job, configure the job to run the target command, then resume and complete the job.`
LOLBAS	Bitsadmin.yml	`- Command: bitsadmin /create 1 & bitsadmin /addfile 1 c:\windows\system32\cmd.exe c:\data\playfolder\cmd.exe & bitsadmin /RESUME 1 & bitsadmin /Complete 1 & bitsadmin /reset`
LOLBAS	Bitsadmin.yml	`- Command: bitsadmin /create 1 & bitsadmin /addfile 1 c:\windows\system32\cmd.exe c:\data\playfolder\cmd.exe & bitsadmin /SetNotifyCmdLine 1 c:\data\playfolder\cmd.exe NULL & bitsadmin /RESUME 1 & bitsadmin /Reset`
LOLBAS	Bitsadmin.yml	`Description: One-liner that creates a bitsadmin job named 1, add cmd.exe to the job, configure the job to run the target command, then resume and complete the job.`
LOLBAS	Bitsadmin.yml	`- Path: C:\Windows\System32\bitsadmin.exe`
LOLBAS	Bitsadmin.yml	`- Path: C:\Windows\SysWOW64\bitsadmin.exe`
LOLBAS	Bitsadmin.yml	`- IOC: Child process from bitsadmin.exe`
LOLBAS	Bitsadmin.yml	`- IOC: bitsadmin creates new files`
LOLBAS	Bitsadmin.yml	`- IOC: bitsadmin adds data to alternate data stream`
atomic-red-team	index.md	- Atomic Test #1: Bitsadmin Download (cmd) [windows]	MIT License. © 2018 Red Canary
atomic-red-team	index.md	- Atomic Test #2: Bitsadmin Download (PowerShell) [windows]	MIT License. © 2018 Red Canary
atomic-red-team	index.md	- Atomic Test #9: Windows - BITSAdmin BITS Download [windows]	MIT License. © 2018 Red Canary
atomic-red-team	windows-index.md	- Atomic Test #1: Bitsadmin Download (cmd) [windows]	MIT License. © 2018 Red Canary
atomic-red-team	windows-index.md	- Atomic Test #2: Bitsadmin Download (PowerShell) [windows]	MIT License. © 2018 Red Canary
atomic-red-team	windows-index.md	- Atomic Test #9: Windows - BITSAdmin BITS Download [windows]	MIT License. © 2018 Red Canary
atomic-red-team	T1072.md	bitsadmin /transfer myDownloadJob /download /priority normal “https://www.radmin.com/download/Radmin_Viewer_3.5.2.1_EN.msi” #{radmin_installer}	MIT License. © 2018 Red Canary
atomic-red-team	T1105.md	- Atomic Test #9 - Windows - BITSAdmin BITS Download	MIT License. © 2018 Red Canary
atomic-red-team	T1105.md	## Atomic Test #9 - Windows - BITSAdmin BITS Download	MIT License. © 2018 Red Canary
atomic-red-team	T1105.md	This test uses BITSAdmin.exe to schedule a BITS job for the download of a file.	MIT License. © 2018 Red Canary
atomic-red-team	T1105.md	C:\Windows\System32\bitsadmin.exe /transfer #{bits_job_name} /Priority HIGH #{remote_file} #{local_path}	MIT License. © 2018 Red Canary
atomic-red-team	T1197.md	The interface to create and manage BITS jobs is accessible through PowerShell and the BITSAdmin tool.(Citation: Microsoft BITS)(Citation: Microsoft BITSAdmin)	MIT License. © 2018 Red Canary
atomic-red-team	T1197.md	- Atomic Test #1 - Bitsadmin Download (cmd)	MIT License. © 2018 Red Canary
atomic-red-team	T1197.md	- Atomic Test #2 - Bitsadmin Download (PowerShell)	MIT License. © 2018 Red Canary
atomic-red-team	T1197.md	## Atomic Test #1 - Bitsadmin Download (cmd)	MIT License. © 2018 Red Canary
atomic-red-team	T1197.md	This test simulates an adversary leveraging bitsadmin.exe to download	MIT License. © 2018 Red Canary
atomic-red-team	T1197.md	bitsadmin.exe /transfer /Download /priority Foreground #{remote_file} #{local_file}	MIT License. © 2018 Red Canary
atomic-red-team	T1197.md	## Atomic Test #2 - Bitsadmin Download (PowerShell)	MIT License. © 2018 Red Canary
atomic-red-team	T1197.md	This test simulates an adversary leveraging bitsadmin.exe to schedule a BITS transferand execute a payload in multiple steps.	MIT License. © 2018 Red Canary
atomic-red-team	T1197.md	bitsadmin.exe /create #{bits_job_name}	MIT License. © 2018 Red Canary
atomic-red-team	T1197.md	bitsadmin.exe /addfile #{bits_job_name} #{remote_file} #{local_file}	MIT License. © 2018 Red Canary
atomic-red-team	T1197.md	bitsadmin.exe /setnotifycmdline #{bits_job_name} #{command_path} NULL	MIT License. © 2018 Red Canary
atomic-red-team	T1197.md	bitsadmin.exe /resume #{bits_job_name}	MIT License. © 2018 Red Canary
atomic-red-team	T1197.md	bitsadmin.exe /complete #{bits_job_name}	MIT License. © 2018 Red Canary
atomic-red-team	T1560.001.md	bitsadmin /transfer myDownloadJob /download /priority normal “https://www.win-rar.com/fileadmin/winrar-versions/winrar/th/winrar-x64-580.exe” #{rar_installer}	MIT License. © 2018 Red Canary
atomic-red-team	T1560.001.md	bitsadmin /transfer myDownloadJob /download /priority normal “https://www.7-zip.org/a/7z2002-x64.exe” #{7zip_installer}	MIT License. © 2018 Red Canary
signature-base	apt_keyboys.yar	$x1 = “egsvr32.exe "/u bitsadmin /canceft\windows\currebitsadmin” ascii	CC BY-NC 4.0
signature-base	gen_github_net_redteam_tools_guids.yar	reference = “https://github.com/bitsadmin/nopowershell”	CC BY-NC 4.0
signature-base	gen_github_net_redteam_tools_guids.yar	reference = “https://github.com/bitsadmin/fakelogonscreen”	CC BY-NC 4.0
signature-base	gen_recon_indicators.yar	$s13 = “bitsadmin /rawreturn /transfer getfile” ascii	CC BY-NC 4.0
signature-base	thor-hacktools.yar	reference = “https://github.com/bitsadmin/nopowershell”	CC BY-NC 4.0

Additional Info*

*The information below is copied from MicrosoftDocs, which is maintained by Microsoft. Available under CC BY 4.0 license.

bitsadmin

Applies to: Windows Server 2022, Windows Server 2019, Windows Server 2016, Windows Server 2012 R2, Windows Server 2012, Windows 10

Bitsadmin is a command-line tool used to create, download or upload jobs, and to monitor their progress. The bitsadmin tool uses switches to identify the work to perform. You can call bitsadmin /? or bitsadmin /help to get a list of switches.

Most switches require a <job> parameter, which you set to the job’s display name, or GUID. A job’s display name doesn’t have to be unique. The /create and /list switches return a job’s GUID.

By default, you can access information about your own jobs. To access information for another user’s jobs, you must have administrator privileges. If the job was created in an elevated state, then you must run bitsadmin from an elevated window; otherwise, you’ll have read-only access to the job.

Many of the switches correspond to methods in the BITS interfaces. For additional details that may be relevant to using a switch, see the corresponding method.

Use the following switches to create a job, set and retrieve the properties of a job, and monitor the status of a job. For examples that show how to use some of these switches to perform tasks, see bitsadmin examples.