bitsadmin.exe

  • File Path: C:\Windows\system32\bitsadmin.exe
  • Description: BITS administration utility

Hashes

Type Hash
MD5 5CD8838F1E275B0C8EADF4B755C04E4F
SHA1 5DEB6EC7BB9BD0C85BBE91CBFD92BDC774FE5F8A
SHA256 03C7E317E277BBD6C9C1159F8718A9D302E6F78E0D80C09D52A994B7598C0F30
SHA384 781A5959CE3FBD7CA3BB37181ACC90998E249DF75D095C1D7122EEA857571C7EF036E9C670B974942AC78C632D6BB46A
SHA512 0620F52E3321FDF398326B36C7477E647CBD2A5D5CACB549088284D75E5539A570FA967D9C6B6E4ADE19C2AB7E845960929AE87D99A6F080B3C844FA19063880
SSDEEP 3072:3m6xtJckj/dV6l5LOufzzkyVRj56+YKsdZetQUC6kIvDg/0jok:3m6xEElM5LOWz4yVRkUL1o
IMP B0A3CFF8CFDE112945189719F82F9EA9
PESHA1 1294B399E2E7921303B6FE4F76879B36A80D276F
PE256 2103AE898B3D5E5FE18F51ACC366B5C43F3102825D60F4CEBFF7CE5A00F236F1

Runtime Data

Usage (stdout):


BITSADMIN version 3.0
BITS administration utility.
(C) Copyright Microsoft Corp.

Invalid command
USAGE: BITSADMIN [/RAWRETURN] [/WRAP | /NOWRAP] command
The following commands are available:

/HELP           Prints this help 
/?              Prints this help 
/UTIL /?        Prints the list of utilities commands 
/PEERCACHING /?   Prints the list of commands to manage Peercaching
/CACHE /?       Prints the list of cache management commands 
/PEERS /?       Prints the list of peer management commands

/LIST    [/ALLUSERS] [/VERBOSE]     List the jobs
/MONITOR [/ALLUSERS] [/REFRESH sec] Monitors the copy manager
/RESET   [/ALLUSERS]                Deletes all jobs in the manager

/TRANSFER <job name> [type] [/PRIORITY priority] [/ACLFLAGS flags] [/DYNAMIC] 
          remote_url local_name
    Transfers one of more files.
    [type] may be /DOWNLOAD or /UPLOAD; default is download
    Multiple URL/file pairs may be specified.
    Unlike most commands, <job name> may only be a name and not a GUID.
    /DYNAMIC configures the job with BITS_JOB_PROPERTY_DYNAMIC_CONTENT, which relaxes the server-side requirements.

/CREATE [type] <job name>               Creates a job
    [type] may be /DOWNLOAD, /UPLOAD, or /UPLOAD-REPLY; default is download
    Unlike most commands, <job name> may only be a name and not a GUID.

/INFO <job> [/VERBOSE]                   Displays information about the job
/ADDFILE <job> <remote_url> <local_name> Adds a file to the job
/ADDFILESET <job> <textfile>             Adds multiple files to the job
   Each line of <textfile> lists a file's remote name and local name, separated
   by spaces.  A line beginning with '#' is treated as a comment.
   Once the file set is read into memory, the contents are added to the job.

/ADDFILEWITHRANGES  <job> <remote_url> <local_name range_list>
   Like /ADDFILE, but BITS will read only selected byte ranges of the URL.
   range_list is a comma-delimited series of offset and length pairs.
   For example,

       0:100,2000:100,5000:eof

   instructs BITS to read 100 bytes starting at offset zero, 100 bytes starting
   at offset 2000, and the remainder of the URL starting at offset 5000.

/REPLACEREMOTEPREFIX <job> <old_prefix> <new_prefix>
    All files whose URL begins with <old_prefix> are changed to use <new_prefix>

Note that BITS currently supports HTTP/HTTPS downloads and uploads.
It also supports UNC paths and file:// paths as URLS

/LISTFILES <job>                     Lists the files in the job
/SUSPEND <job>                       Suspends the job
/RESUME <job>                        Resumes the job
/CANCEL <job>                        Cancels the job
/COMPLETE <job>                      Completes the job

/GETTYPE <job>                       Retrieves the job type
/GETACLFLAGS <job>                   Retrieves the ACL propagation flags

/SETACLFLAGS <job> <ACL_flags>       Sets the ACL propagation flags for the job
  O - OWNER       G - GROUP 
  D - DACL        S - SACL  

  Examples:
      bitsadmin /setaclflags MyJob OGDS
      bitsadmin /setaclflags MyJob OGD

/GETBYTESTOTAL <job>                 Retrieves the size of the job
/GETBYTESTRANSFERRED <job>           Retrieves the number of bytes transferred
/GETFILESTOTAL <job>                 Retrieves the number of files in the job
/GETFILESTRANSFERRED <job>           Retrieves the number of files transferred
/GETCREATIONTIME <job>               Retrieves the job creation time
/GETMODIFICATIONTIME <job>           Retrieves the job modification time
/GETCOMPLETIONTIME <job>             Retrieves the job completion time
/GETSTATE <job>                      Retrieves the job state
/GETERROR <job>                      Retrieves detailed error information
/GETOWNER <job>                      Retrieves the job owner
/GETDISPLAYNAME <job>                Retrieves the job display name
/SETDISPLAYNAME <job> <display_name> Sets the job display name
/GETDESCRIPTION <job>                Retrieves the job description
/SETDESCRIPTION <job> <description>  Sets the job description
/GETPRIORITY    <job>                Retrieves the job priority
/SETPRIORITY    <job> <priority>     Sets the job priority
   Priority usage choices:
      FOREGROUND 
      HIGH
      NORMAL
      LOW
/GETNOTIFYFLAGS <job>                 Retrieves the notify flags
/SETNOTIFYFLAGS <job> <notify_flags>  Sets the notify flags
    For more help on this option, please refer to the MSDN help page for SetNotifyFlags/GETNOTIFYINTERFACE <job>             Determines if notify interface is registered
/GETMINRETRYDELAY <job>               Retrieves the retry delay in seconds
/SETMINRETRYDELAY <job> <retry_delay> Sets the retry delay in seconds
/GETNOPROGRESSTIMEOUT <job>           Retrieves the no progress timeout in seconds
/SETNOPROGRESSTIMEOUT <job> <timeout> Sets the no progress timeout in seconds
/GETMAXDOWNLOADTIME <job>             Retrieves the download timeout in seconds
/SETMAXDOWNLOADTIME <job> <timeout>   Sets the download timeout in seconds
/GETERRORCOUNT <job>                  Retrieves an error count for the job

/SETPROXYSETTINGS <job> <usage>      Sets the proxy usage
   usage choices:
    PRECONFIG   - Use the owner's default Internet settings.
    AUTODETECT  - Force autodetection of proxy.
    NO_PROXY    - Do not use a proxy server.
    OVERRIDE    - Use an explicit proxy list and bypass list. 
                  Must be followed by a proxy list and a proxy bypass list.
                  NULL or "" may be used for an empty proxy bypass list.
  Examples:
      bitsadmin /setproxysettings MyJob PRECONFIG
      bitsadmin /setproxysettings MyJob AUTODETECT
      bitsadmin /setproxysettings MyJob NO_PROXY
      bitsadmin /setproxysettings MyJob OVERRIDE proxy1:80 "<local>" 
      bitsadmin /setproxysettings MyJob OVERRIDE proxy1,proxy2,proxy3 NULL 

/GETPROXYUSAGE <job>                 Retrieves the proxy usage setting
/GETPROXYLIST <job>                  Retrieves the proxy list
/GETPROXYBYPASSLIST <job>            Retrieves the proxy bypass list

/TAKEOWNERSHIP <job>                 Take ownership of the job

/SETNOTIFYCMDLINE <job> <program_name> [program_parameters] 
    Sets a program to execute for notification, and optionally parameters.
    The program name and parameters can be NULL.
    IMPORTANT: if parameters are non-NULL, then the program name should be the
               first parameter.

  Examples:
    bitsadmin /SetNotifyCmdLine MyJob c:\winnt\system32\notepad.exe  NULL
    bitsadmin /SetNotifyCmdLine MyJob c:\callback.exe "c:\callback.exe parm1 parm2" 
    bitsadmin /SetNotifyCmdLine MyJob NULL NULL

/GETNOTIFYCMDLINE <job>              Returns the job's notification command line

/SETCREDENTIALS <job> <target> <scheme> <username> <password>
  Adds credentials to a job.
  <target> may be either SERVER or PROXY
  <scheme> may be BASIC, DIGEST, NTLM, NEGOTIATE, or PASSPORT. 

/REMOVECREDENTIALS <job> <target> <scheme> 
  Removes credentials from a job.
/GETCUSTOMHEADERS <job>                           Gets the Custom HTTP Headers
/SETCUSTOMHEADERS <job> <header1> <header2> <...> Sets the Custom HTTP Headers

/GETHTTPMETHOD <job>                           Gets the HTTP verb to use.
/SETHTTPMETHOD <job> <HTTPMethod>              Sets the HTTP verb to use.

/GETCLIENTCERTIFICATE <job>                       Gets the job's Client Certificate Information
/SETCLIENTCERTIFICATEBYID <job> <store_location> <store_name> <hexa-decimal_cert_id>
  Sets a client authentication certificate to a job.
  <store_location> may be 
	1(CURRENT_USER), 2(LOCAL_MACHINE), 3(CURRENT_SERVICE),
	4(SERVICES), 5(USERS), 6(CURRENT_USER_GROUP_POLICY),
	7(LOCAL_MACHINE_GROUP_POLICY) or 8(LOCAL_MACHINE_ENTERPRISE). 

/SETCLIENTCERTIFICATEBYNAME <job> <store_location> <store_name> <subject_name>
  Sets a client authentication certificate to a job.
  <store_location> may be 
	1(CURRENT_USER), 2(LOCAL_MACHINE), 3(CURRENT_SERVICE),
	4(SERVICES), 5(USERS), 6(CURRENT_USER_GROUP_POLICY),
	7(LOCAL_MACHINE_GROUP_POLICY) or 8(LOCAL_MACHINE_ENTERPRISE). 

/REMOVECLIENTCERTIFICATE <job>                Removes the Client Certificate Information from the job

/SETSECURITYFLAGS <job> <value>   
   Sets the HTTP security flags for URL redirection and checks performed on the server certificate during the transfer.
   The value is an unsigned integer with the following interpretation for the bits in the binary representation.
     Enable CRL Check                                 : Set the least significant bit
     Ignore invalid common name in server certificate : Set the 2nd bit from right
     Ignore invalid date in  server certificate       : Set the 3rd bit from right
     Ignore invalid certificate authority in server
       certificate                                    : Set the 4th bit from right
     Ignore invalid usage of certificate              : Set the 5th bit from right
     Redirection policy                               : Controlled by the 9th-11th bits from right
         0,0,0  - Redirects will be automatically allowed.
         0,0,1  - Remote name in the IBackgroundCopyFile interface will be updated if a redirect occurs.
         0,1,0  - BITS will fail the job if a redirect occurs.

     Allow redirection from HTTPS to HTTP             : Set the 12th bit from right

/GETSECURITYFLAGS <job>   
   Reports the HTTP security flags for URL redirection and checks performed on the server certificate during the transfer.

/SETVALIDATIONSTATE  <job>  <file-index> <true|false>
      <file-index> starts from 0          
    Sets the content-validation state of the given file within the job.

/GETVALIDATIONSTATE  <job>  <file-index>  
      <file-index> starts from 0          
    Reports the content-validation state of the given file within the job.

/GETTEMPORARYNAME  <job>  <file-index>  
      <file-index> starts from 0          
    Reports the temporary filename of the given file within the job.

The following options control peercaching of a particular job:

/SETPEERCACHINGFLAGS  <job> <value>   
    Sets the flags for the job's peercaching behavior.
    The value is an unsigned integer with the following interpretation for the bits in the binary representation.
        Allow the job's data to be downloaded from a peer : Set the least significant bit
        Allow the job's data to be served to peers        : Set the 2nd bit from right

/GETPEERCACHINGFLAGS  <job>               
    Reports the flags for the job's peercaching behavior.

The following options are valid for UPLOAD-REPLY jobs only:

/GETREPLYFILENAME <job>        Gets the path of the file containing the server reply
/SETREPLYFILENAME <job> <path> Sets the path of the file containing the server reply
/GETREPLYPROGRESS <job>        Gets the size and progress of the server reply
/GETREPLYDATA     <job>        Dumps the server's reply data in hex format

/SETHELPERTOKEN <job>          Sets the current command prompt's primary token as a job's helper token
/GETHELPERTOKENSID <job>       Reports the user account SID of a job's helper token, if one is set

/SETHELPERTOKENFLAGS <job> <flags> 
    Sets the helper token usage flags for a job. Possible values are:
        1 - The helper token is used when accessing the local filesystem.
        2 - The helper token is used when accessing the network.
        3 - The helper token is used when accessing both the local filesystem and the network.

/GETHELPERTOKENFLAGS <job> 
    Reports a job's helper token usage flags.

/GETPEERSTATS <job> <file-index> 
    <file-index> starts from 0 
    Reports statistics about the amount of data downloaded from peers and origin servers for a specific file within a job.

The following options can be placed before the command:
/RAWRETURN                     Return data more suitable for parsing
/WRAP                          Wrap output around console (default)
/NOWRAP                        Don't wrap output around console

The /RAWRETURN option strips new line characters and formatting.
It is recognized by the /CREATE and /GET* commands.

Commands that take a <job> parameter will accept either a job name or a job ID
GUID inside braces.  BITSADMIN reports an error if a name is ambiguous.

Loaded Modules:

Path
C:\Windows\System32\bcryptPrimitives.dll
C:\Windows\system32\bitsadmin.exe
C:\Windows\System32\combase.dll
C:\Windows\System32\GDI32.dll
C:\Windows\System32\gdi32full.dll
C:\Windows\System32\IMM32.DLL
C:\Windows\System32\kernel.appcore.dll
C:\Windows\System32\KERNEL32.DLL
C:\Windows\System32\KERNELBASE.dll
C:\Windows\System32\msvcp_win.dll
C:\Windows\System32\msvcrt.dll
C:\Windows\SYSTEM32\ntdll.dll
C:\Windows\System32\RPCRT4.dll
C:\Windows\System32\sechost.dll
C:\Windows\system32\SspiCli.dll
C:\Windows\System32\ucrtbase.dll
C:\Windows\System32\user32.dll
C:\Windows\system32\uxtheme.dll
C:\Windows\System32\win32u.dll

Signature

  • Status: Signature verified.
  • Serial: 33000001C422B2F79B793DACB20000000001C4
  • Thumbprint: AE9C1AE54763822EEC42474983D8B635116C8452
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: bitsadmin.exe.mui
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 7.8.17763.1 (WinBuild.160101.0800)
  • Product Version: 7.8.17763.1
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 64-bit

File Scan

  • VirusTotal Detections: 0/71
  • VirusTotal Link: https://www.virustotal.com/gui/file/03c7e317e277bbd6c9c1159f8718a9d302e6f78e0d80c09d52a994b7598c0f30/detection/

Possible Misuse

The following table contains possible examples of bitsadmin.exe being misused. While bitsadmin.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma proxy_ua_bitsadmin_susp_tld.yml title: Bitsadmin to Uncommon TLD DRL 1.0
sigma proxy_ua_bitsadmin_susp_tld.yml description: Detects Bitsadmin connections to domains with uncommon TLDs - https://twitter.com/jhencinski/status/1102695118455349248 - https://isc.sans.edu/forums/diary/Investigating+Microsoft+BITS+Activity/23281/ DRL 1.0
sigma proxy_ua_bitsadmin_susp_tld.yml - Rare programs that use Bitsadmin and update from regional TLDs e.g. .uk or .ca DRL 1.0
sigma win_bits_client_susp_use_bitsadmin.yml title: Suspicious Task Added by Bitsadmin DRL 1.0
sigma win_bits_client_susp_use_bitsadmin.yml processPath\|endswith: '\bitsadmin.exe' DRL 1.0
sigma proc_creation_win_apt_greenbug_may20.yml - 'bitsadmin' DRL 1.0
sigma proc_creation_win_bitsadmin_download.yml title: Bitsadmin Download DRL 1.0
sigma proc_creation_win_bitsadmin_download.yml description: Detects usage of bitsadmin downloading a file DRL 1.0
sigma proc_creation_win_bitsadmin_download.yml - https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin DRL 1.0
sigma proc_creation_win_bitsadmin_download.yml - https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/ DRL 1.0
sigma proc_creation_win_bitsadmin_download.yml - '\bitsadmin.exe' DRL 1.0
sigma proc_creation_win_bitsadmin_download.yml - 'copy bitsadmin.exe' DRL 1.0
sigma proc_creation_win_exploit_cve_2020_10189.yml - '\bitsadmin.exe' DRL 1.0
sigma proc_creation_win_mmc_spawn_shell.yml - '\BITSADMIN' DRL 1.0
sigma proc_creation_win_monitoring_for_persistence_via_bits.yml CommandLine\|re: '(?i).*bitsadmin.*\/SetNotifyCmdLine.*(%COMSPEC%\|cmd.exe\|regsvr32.exe).*' DRL 1.0
sigma proc_creation_win_monitoring_for_persistence_via_bits.yml CommandLine\|re: '(?i).*bitsadmin.*\/Addfile.*(http\|https\|ftp\|ftps):.*' DRL 1.0
sigma proc_creation_win_mshta_spawn_shell.yml - '\BITSADMIN' DRL 1.0
sigma proc_creation_win_powershell_bitsjob.yml title: Suspicious Bitsadmin Job via PowerShell DRL 1.0
sigma proc_creation_win_public_folder_parent.yml - 'bitsadmin' DRL 1.0
sigma proc_creation_win_shell_spawn_susp_program.yml - '\bitsadmin.exe' DRL 1.0
sigma proc_creation_win_susp_shell_spawn_by_java.yml - '\bitsadmin.exe' DRL 1.0
sigma proc_creation_win_susp_shell_spawn_by_java_keytool.yml - '\bitsadmin.exe' DRL 1.0
sigma proc_creation_win_susp_shell_spawn_from_mssql.yml - '\bitsadmin.exe' DRL 1.0
sigma proc_creation_win_susp_shell_spawn_from_winrm.yml - '*\bitsadmin.exe' DRL 1.0
sigma proc_creation_win_susp_spoolsv_child_processes.yml - \bitsadmin.exe DRL 1.0
sigma proc_creation_win_webshell_spawn.yml - '\bitsadmin.exe' DRL 1.0
LOLBAS Bitsadmin.yml Name: Bitsadmin.exe  
LOLBAS Bitsadmin.yml - Command: bitsadmin /create 1 bitsadmin /addfile 1 c:\windows\system32\cmd.exe c:\data\playfolder\cmd.exe bitsadmin /SetNotifyCmdLine 1 c:\data\playfolder\1.txt:cmd.exe NULL bitsadmin /RESUME 1 bitsadmin /complete 1  
LOLBAS Bitsadmin.yml Description: Create a bitsadmin job named 1, add cmd.exe to the job, configure the job to run the target command from an Alternate data stream, then resume and complete the job.  
LOLBAS Bitsadmin.yml - Command: bitsadmin /create 1 bitsadmin /addfile 1 https://live.sysinternals.com/autoruns.exe c:\data\playfolder\autoruns.exe bitsadmin /RESUME 1 bitsadmin /complete 1  
LOLBAS Bitsadmin.yml Description: Create a bitsadmin job named 1, add cmd.exe to the job, configure the job to run the target command, then resume and complete the job.  
LOLBAS Bitsadmin.yml - Command: bitsadmin /create 1 & bitsadmin /addfile 1 c:\windows\system32\cmd.exe c:\data\playfolder\cmd.exe & bitsadmin /RESUME 1 & bitsadmin /Complete 1 & bitsadmin /reset  
LOLBAS Bitsadmin.yml - Command: bitsadmin /create 1 & bitsadmin /addfile 1 c:\windows\system32\cmd.exe c:\data\playfolder\cmd.exe & bitsadmin /SetNotifyCmdLine 1 c:\data\playfolder\cmd.exe NULL & bitsadmin /RESUME 1 & bitsadmin /Reset  
LOLBAS Bitsadmin.yml Description: One-liner that creates a bitsadmin job named 1, add cmd.exe to the job, configure the job to run the target command, then resume and complete the job.  
LOLBAS Bitsadmin.yml - Path: C:\Windows\System32\bitsadmin.exe  
LOLBAS Bitsadmin.yml - Path: C:\Windows\SysWOW64\bitsadmin.exe  
LOLBAS Bitsadmin.yml - IOC: Child process from bitsadmin.exe  
LOLBAS Bitsadmin.yml - IOC: bitsadmin creates new files  
LOLBAS Bitsadmin.yml - IOC: bitsadmin adds data to alternate data stream  
atomic-red-team index.md - Atomic Test #1: Bitsadmin Download (cmd) [windows] MIT License. © 2018 Red Canary
atomic-red-team index.md - Atomic Test #2: Bitsadmin Download (PowerShell) [windows] MIT License. © 2018 Red Canary
atomic-red-team index.md - Atomic Test #9: Windows - BITSAdmin BITS Download [windows] MIT License. © 2018 Red Canary
atomic-red-team windows-index.md - Atomic Test #1: Bitsadmin Download (cmd) [windows] MIT License. © 2018 Red Canary
atomic-red-team windows-index.md - Atomic Test #2: Bitsadmin Download (PowerShell) [windows] MIT License. © 2018 Red Canary
atomic-red-team windows-index.md - Atomic Test #9: Windows - BITSAdmin BITS Download [windows] MIT License. © 2018 Red Canary
atomic-red-team T1072.md bitsadmin /transfer myDownloadJob /download /priority normal “https://www.radmin.com/download/Radmin_Viewer_3.5.2.1_EN.msi” #{radmin_installer} MIT License. © 2018 Red Canary
atomic-red-team T1105.md - Atomic Test #9 - Windows - BITSAdmin BITS Download MIT License. © 2018 Red Canary
atomic-red-team T1105.md ## Atomic Test #9 - Windows - BITSAdmin BITS Download MIT License. © 2018 Red Canary
atomic-red-team T1105.md This test uses BITSAdmin.exe to schedule a BITS job for the download of a file. MIT License. © 2018 Red Canary
atomic-red-team T1105.md C:\Windows\System32\bitsadmin.exe /transfer #{bits_job_name} /Priority HIGH #{remote_file} #{local_path} MIT License. © 2018 Red Canary
atomic-red-team T1197.md The interface to create and manage BITS jobs is accessible through PowerShell and the BITSAdmin tool.(Citation: Microsoft BITS)(Citation: Microsoft BITSAdmin) MIT License. © 2018 Red Canary
atomic-red-team T1197.md - Atomic Test #1 - Bitsadmin Download (cmd) MIT License. © 2018 Red Canary
atomic-red-team T1197.md - Atomic Test #2 - Bitsadmin Download (PowerShell) MIT License. © 2018 Red Canary
atomic-red-team T1197.md ## Atomic Test #1 - Bitsadmin Download (cmd) MIT License. © 2018 Red Canary
atomic-red-team T1197.md This test simulates an adversary leveraging bitsadmin.exe to download MIT License. © 2018 Red Canary
atomic-red-team T1197.md bitsadmin.exe /transfer /Download /priority Foreground #{remote_file} #{local_file} MIT License. © 2018 Red Canary
atomic-red-team T1197.md ## Atomic Test #2 - Bitsadmin Download (PowerShell) MIT License. © 2018 Red Canary
atomic-red-team T1197.md This test simulates an adversary leveraging bitsadmin.exe to schedule a BITS transferand execute a payload in multiple steps. MIT License. © 2018 Red Canary
atomic-red-team T1197.md bitsadmin.exe /create #{bits_job_name} MIT License. © 2018 Red Canary
atomic-red-team T1197.md bitsadmin.exe /addfile #{bits_job_name} #{remote_file} #{local_file} MIT License. © 2018 Red Canary
atomic-red-team T1197.md bitsadmin.exe /setnotifycmdline #{bits_job_name} #{command_path} NULL MIT License. © 2018 Red Canary
atomic-red-team T1197.md bitsadmin.exe /resume #{bits_job_name} MIT License. © 2018 Red Canary
atomic-red-team T1197.md bitsadmin.exe /complete #{bits_job_name} MIT License. © 2018 Red Canary
atomic-red-team T1560.001.md bitsadmin /transfer myDownloadJob /download /priority normal “https://www.win-rar.com/fileadmin/winrar-versions/winrar/th/winrar-x64-580.exe” #{rar_installer} MIT License. © 2018 Red Canary
atomic-red-team T1560.001.md bitsadmin /transfer myDownloadJob /download /priority normal “https://www.7-zip.org/a/7z2002-x64.exe” #{7zip_installer} MIT License. © 2018 Red Canary
signature-base apt_keyboys.yar $x1 = “egsvr32.exe "/u bitsadmin /canceft\windows\currebitsadmin” ascii CC BY-NC 4.0
signature-base gen_github_net_redteam_tools_guids.yar reference = “https://github.com/bitsadmin/nopowershell” CC BY-NC 4.0
signature-base gen_github_net_redteam_tools_guids.yar reference = “https://github.com/bitsadmin/fakelogonscreen” CC BY-NC 4.0
signature-base gen_recon_indicators.yar $s13 = “bitsadmin /rawreturn /transfer getfile” ascii CC BY-NC 4.0
signature-base thor-hacktools.yar reference = “https://github.com/bitsadmin/nopowershell” CC BY-NC 4.0

Additional Info*

*The information below is copied from MicrosoftDocs, which is maintained by Microsoft. Available under CC BY 4.0 license.


bitsadmin

Applies to: Windows Server 2022, Windows Server 2019, Windows Server 2016, Windows Server 2012 R2, Windows Server 2012, Windows 10

Bitsadmin is a command-line tool used to create, download or upload jobs, and to monitor their progress. The bitsadmin tool uses switches to identify the work to perform. You can call bitsadmin /? or bitsadmin /help to get a list of switches.

Most switches require a <job> parameter, which you set to the job’s display name, or GUID. A job’s display name doesn’t have to be unique. The /create and /list switches return a job’s GUID.

By default, you can access information about your own jobs. To access information for another user’s jobs, you must have administrator privileges. If the job was created in an elevated state, then you must run bitsadmin from an elevated window; otherwise, you’ll have read-only access to the job.

Many of the switches correspond to methods in the BITS interfaces. For additional details that may be relevant to using a switch, see the corresponding method.

Use the following switches to create a job, set and retrieve the properties of a job, and monitor the status of a job. For examples that show how to use some of these switches to perform tasks, see bitsadmin examples.

Available switches


MIT License. Copyright (c) 2020-2021 Strontic.