bitsadmin.exe
- File Path:
C:\WINDOWS\SysWOW64\bitsadmin.exe
- Description: BITS administration utility
Hashes
Type | Hash |
---|---|
MD5 | 81F910AD326B38EA6546E51173D75B2C |
SHA1 | E6D261BA73FDC5623CEAA04EAF39C0AF5A2D815E |
SHA256 | C5ADC38E0CE99A16CBBFCC10F16AA3A340CA0DCFF836607D6F6152322013A129 |
SHA384 | 4B2BEF81BCD7893CE86DF048B996E98F3C76AF1DF72D1E4CFA159F3E34BAF1DFF25C14C6719D4E1C0D67B0B5CC9BB553 |
SHA512 | 7086F8F42DA304896107923C7951FBFDFD7A3450DF4D36859E7C86F529EFEF657ECAA797807371B30066E11E423F908DA70CED0EEB9509341AC9BA925673F2FF |
SSDEEP | 3072:g8D853+Y/8tEONgK2SzecuFPOJrFzspK1en4NWc0jRuEiWM:glKZzuFPu1Gz/ |
Runtime Data
Usage (stdout):
BITSADMIN version 3.0
BITS administration utility.
(C) Copyright Microsoft Corp.
Invalid command
USAGE: BITSADMIN [/RAWRETURN] [/WRAP | /NOWRAP] command
The following commands are available:
/HELP Prints this help
/? Prints this help
/UTIL /? Prints the list of utilities commands
/PEERCACHING /? Prints the list of commands to manage Peercaching
/CACHE /? Prints the list of cache management commands
/PEERS /? Prints the list of peer management commands
/LIST [/ALLUSERS] [/VERBOSE] List the jobs
/MONITOR [/ALLUSERS] [/REFRESH sec] Monitors the copy manager
/RESET [/ALLUSERS] Deletes all jobs in the manager
/TRANSFER <job name> [type] [/PRIORITY priority] [/ACLFLAGS flags] [/DYNAMIC]
remote_url local_name
Transfers one of more files.
[type] may be /DOWNLOAD or /UPLOAD; default is download
Multiple URL/file pairs may be specified.
Unlike most commands, <job name> may only be a name and not a GUID.
/DYNAMIC configures the job with BITS_JOB_PROPERTY_DYNAMIC_CONTENT, which relaxes the server-side requirements.
/CREATE [type] <job name> Creates a job
[type] may be /DOWNLOAD, /UPLOAD, or /UPLOAD-REPLY; default is download
Unlike most commands, <job name> may only be a name and not a GUID.
/INFO <job> [/VERBOSE] Displays information about the job
/ADDFILE <job> <remote_url> <local_name> Adds a file to the job
/ADDFILESET <job> <textfile> Adds multiple files to the job
Each line of <textfile> lists a file's remote name and local name, separated
by spaces. A line beginning with '#' is treated as a comment.
Once the file set is read into memory, the contents are added to the job.
/ADDFILEWITHRANGES <job> <remote_url> <local_name range_list>
Like /ADDFILE, but BITS will read only selected byte ranges of the URL.
range_list is a comma-delimited series of offset and length pairs.
For example,
0:100,2000:100,5000:eof
instructs BITS to read 100 bytes starting at offset zero, 100 bytes starting
at offset 2000, and the remainder of the URL starting at offset 5000.
/REPLACEREMOTEPREFIX <job> <old_prefix> <new_prefix>
All files whose URL begins with <old_prefix> are changed to use <new_prefix>
Note that BITS currently supports HTTP/HTTPS downloads and uploads.
It also supports UNC paths and file:// paths as URLS
/LISTFILES <job> Lists the files in the job
/SUSPEND <job> Suspends the job
/RESUME <job> Resumes the job
/CANCEL <job> Cancels the job
/COMPLETE <job> Completes the job
/GETTYPE <job> Retrieves the job type
/GETACLFLAGS <job> Retrieves the ACL propagation flags
/SETACLFLAGS <job> <ACL_flags> Sets the ACL propagation flags for the job
O - OWNER G - GROUP
D - DACL S - SACL
Examples:
bitsadmin /setaclflags MyJob OGDS
bitsadmin /setaclflags MyJob OGD
/GETBYTESTOTAL <job> Retrieves the size of the job
/GETBYTESTRANSFERRED <job> Retrieves the number of bytes transferred
/GETFILESTOTAL <job> Retrieves the number of files in the job
/GETFILESTRANSFERRED <job> Retrieves the number of files transferred
/GETCREATIONTIME <job> Retrieves the job creation time
/GETMODIFICATIONTIME <job> Retrieves the job modification time
/GETCOMPLETIONTIME <job> Retrieves the job completion time
/GETSTATE <job> Retrieves the job state
/GETERROR <job> Retrieves detailed error information
/GETOWNER <job> Retrieves the job owner
/GETDISPLAYNAME <job> Retrieves the job display name
/SETDISPLAYNAME <job> <display_name> Sets the job display name
/GETDESCRIPTION <job> Retrieves the job description
/SETDESCRIPTION <job> <description> Sets the job description
/GETPRIORITY <job> Retrieves the job priority
/SETPRIORITY <job> <priority> Sets the job priority
Priority usage choices:
FOREGROUND
HIGH
NORMAL
LOW
/GETNOTIFYFLAGS <job> Retrieves the notify flags
/SETNOTIFYFLAGS <job> <notify_flags> Sets the notify flags
For more help on this option, please refer to the MSDN help page for SetNotifyFlags/GETNOTIFYINTERFACE <job> Determines if notify interface is registered
/GETMINRETRYDELAY <job> Retrieves the retry delay in seconds
/SETMINRETRYDELAY <job> <retry_delay> Sets the retry delay in seconds
/GETNOPROGRESSTIMEOUT <job> Retrieves the no progress timeout in seconds
/SETNOPROGRESSTIMEOUT <job> <timeout> Sets the no progress timeout in seconds
/GETMAXDOWNLOADTIME <job> Retrieves the download timeout in seconds
/SETMAXDOWNLOADTIME <job> <timeout> Sets the download timeout in seconds
/GETERRORCOUNT <job> Retrieves an error count for the job
/SETPROXYSETTINGS <job> <usage> Sets the proxy usage
usage choices:
PRECONFIG - Use the owner's default Internet settings.
AUTODETECT - Force autodetection of proxy.
NO_PROXY - Do not use a proxy server.
OVERRIDE - Use an explicit proxy list and bypass list.
Must be followed by a proxy list and a proxy bypass list.
NULL or "" may be used for an empty proxy bypass list.
Examples:
bitsadmin /setproxysettings MyJob PRECONFIG
bitsadmin /setproxysettings MyJob AUTODETECT
bitsadmin /setproxysettings MyJob NO_PROXY
bitsadmin /setproxysettings MyJob OVERRIDE proxy1:80 "<local>"
bitsadmin /setproxysettings MyJob OVERRIDE proxy1,proxy2,proxy3 NULL
/GETPROXYUSAGE <job> Retrieves the proxy usage setting
/GETPROXYLIST <job> Retrieves the proxy list
/GETPROXYBYPASSLIST <job> Retrieves the proxy bypass list
/TAKEOWNERSHIP <job> Take ownership of the job
/SETNOTIFYCMDLINE <job> <program_name> [program_parameters]
Sets a program to execute for notification, and optionally parameters.
The program name and parameters can be NULL.
IMPORTANT: if parameters are non-NULL, then the program name should be the
first parameter.
Examples:
bitsadmin /SetNotifyCmdLine MyJob c:\winnt\system32\notepad.exe NULL
bitsadmin /SetNotifyCmdLine MyJob c:\callback.exe "c:\callback.exe parm1 parm2"
bitsadmin /SetNotifyCmdLine MyJob NULL NULL
/GETNOTIFYCMDLINE <job> Returns the job's notification command line
/SETCREDENTIALS <job> <target> <scheme> <username> <password>
Adds credentials to a job.
<target> may be either SERVER or PROXY
<scheme> may be BASIC, DIGEST, NTLM, NEGOTIATE, or PASSPORT.
/REMOVECREDENTIALS <job> <target> <scheme>
Removes credentials from a job.
/GETCUSTOMHEADERS <job> Gets the Custom HTTP Headers
/SETCUSTOMHEADERS <job> <header1> <header2> <...> Sets the Custom HTTP Headers
/MAKECUSTOMHEADERSWRITEONLY <job> Make a job's Custom HTTP Headers write-only (cannot be undone).
/GETHTTPMETHOD <job> Gets the HTTP verb to use.
/SETHTTPMETHOD <job> <HTTPMethod> Sets the HTTP verb to use.
/GETCLIENTCERTIFICATE <job> Gets the job's Client Certificate Information
/SETCLIENTCERTIFICATEBYID <job> <store_location> <store_name> <hexa-decimal_cert_id>
Sets a client authentication certificate to a job.
<store_location> may be
1(CURRENT_USER), 2(LOCAL_MACHINE), 3(CURRENT_SERVICE),
4(SERVICES), 5(USERS), 6(CURRENT_USER_GROUP_POLICY),
7(LOCAL_MACHINE_GROUP_POLICY) or 8(LOCAL_MACHINE_ENTERPRISE).
/SETCLIENTCERTIFICATEBYNAME <job> <store_location> <store_name> <subject_name>
Sets a client authentication certificate to a job.
<store_location> may be
1(CURRENT_USER), 2(LOCAL_MACHINE), 3(CURRENT_SERVICE),
4(SERVICES), 5(USERS), 6(CURRENT_USER_GROUP_POLICY),
7(LOCAL_MACHINE_GROUP_POLICY) or 8(LOCAL_MACHINE_ENTERPRISE).
/REMOVECLIENTCERTIFICATE <job> Removes the Client Certificate Information from the job
/SETSECURITYFLAGS <job> <value>
Sets the HTTP security flags for URL redirection and checks performed on the server certificate during the transfer.
The value is an unsigned integer with the following interpretation for the bits in the binary representation.
Enable CRL Check : Set the least significant bit
Ignore invalid common name in server certificate : Set the 2nd bit from right
Ignore invalid date in server certificate : Set the 3rd bit from right
Ignore invalid certificate authority in server
certificate : Set the 4th bit from right
Ignore invalid usage of certificate : Set the 5th bit from right
Redirection policy : Controlled by the 9th-11th bits from right
0,0,0 - Redirects will be automatically allowed.
0,0,1 - Remote name in the IBackgroundCopyFile interface will be updated if a redirect occurs.
0,1,0 - BITS will fail the job if a redirect occurs.
Allow redirection from HTTPS to HTTP : Set the 12th bit from right
/GETSECURITYFLAGS <job>
Reports the HTTP security flags for URL redirection and checks performed on the server certificate during the transfer.
/SETVALIDATIONSTATE <job> <file-index> <true|false>
<file-index> starts from 0
Sets the content-validation state of the given file within the job.
/GETVALIDATIONSTATE <job> <file-index>
<file-index> starts from 0
Reports the content-validation state of the given file within the job.
/GETTEMPORARYNAME <job> <file-index>
<file-index> starts from 0
Reports the temporary filename of the given file within the job.
The following options control peercaching of a particular job:
/SETPEERCACHINGFLAGS <job> <value>
Sets the flags for the job's peercaching behavior.
The value is an unsigned integer with the following interpretation for the bits in the binary representation.
Allow the job's data to be downloaded from a peer : Set the least significant bit
Allow the job's data to be served to peers : Set the 2nd bit from right
/GETPEERCACHINGFLAGS <job>
Reports the flags for the job's peercaching behavior.
The following options are valid for UPLOAD-REPLY jobs only:
/GETREPLYFILENAME <job> Gets the path of the file containing the server reply
/SETREPLYFILENAME <job> <path> Sets the path of the file containing the server reply
/GETREPLYPROGRESS <job> Gets the size and progress of the server reply
/GETREPLYDATA <job> Dumps the server's reply data in hex format
/SETHELPERTOKEN <job> Sets the current command prompt's primary token as a job's helper token
/GETHELPERTOKENSID <job> Reports the user account SID of a job's helper token, if one is set
/SETHELPERTOKENFLAGS <job> <flags>
Sets the helper token usage flags for a job. Possible values are:
1 - The helper token is used when accessing the local filesystem.
2 - The helper token is used when accessing the network.
3 - The helper token is used when accessing both the local filesystem and the network.
/GETHELPERTOKENFLAGS <job>
Reports a job's helper token usage flags.
/GETPEERSTATS <job> <file-index>
<file-index> starts from 0
Reports statistics about the amount of data downloaded from peers and origin servers for a specific file within a job.
The following options can be placed before the command:
/RAWRETURN Return data more suitable for parsing
/WRAP Wrap output around console (default)
/NOWRAP Don't wrap output around console
The /RAWRETURN option strips new line characters and formatting.
It is recognized by the /CREATE and /GET* commands.
Commands that take a <job> parameter will accept either a job name or a job ID
GUID inside braces. BITSADMIN reports an error if a name is ambiguous.
Signature
- Status: Signature verified.
- Serial:
330000023241FB59996DCC4DFF000000000232
- Thumbprint:
FF82BC38E1DA5E596DF374C53E3617F7EDA36B06
- Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
- Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
File Metadata
- Original Filename: bitsadmin.exe
- Product Name: Microsoft Windows Operating System
- Company Name: Microsoft Corporation
- File Version: 7.8.18362.1 (WinBuild.160101.0800)
- Product Version: 7.8.18362.1
- Language: English (United States)
- Legal Copyright: Microsoft Corporation. All rights reserved.
Possible Misuse
The following table contains possible examples of bitsadmin.exe
being misused. While bitsadmin.exe
is not inherently malicious, its legitimate functionality can be abused for malicious purposes.
Source | Source File | Example | License |
---|---|---|---|
sigma | proxy_ua_bitsadmin_susp_tld.yml | title: Bitsadmin to Uncommon TLD |
DRL 1.0 |
sigma | proxy_ua_bitsadmin_susp_tld.yml | description: Detects Bitsadmin connections to domains with uncommon TLDs - https://twitter.com/jhencinski/status/1102695118455349248 - https://isc.sans.edu/forums/diary/Investigating+Microsoft+BITS+Activity/23281/ |
DRL 1.0 |
sigma | proxy_ua_bitsadmin_susp_tld.yml | - Rare programs that use Bitsadmin and update from regional TLDs e.g. .uk or .ca |
DRL 1.0 |
sigma | win_bits_client_susp_use_bitsadmin.yml | title: Suspicious Task Added by Bitsadmin |
DRL 1.0 |
sigma | win_bits_client_susp_use_bitsadmin.yml | processPath\|endswith: '\bitsadmin.exe' |
DRL 1.0 |
sigma | proc_creation_win_apt_greenbug_may20.yml | - 'bitsadmin' |
DRL 1.0 |
sigma | proc_creation_win_bitsadmin_download.yml | title: Bitsadmin Download |
DRL 1.0 |
sigma | proc_creation_win_bitsadmin_download.yml | description: Detects usage of bitsadmin downloading a file |
DRL 1.0 |
sigma | proc_creation_win_bitsadmin_download.yml | - https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin |
DRL 1.0 |
sigma | proc_creation_win_bitsadmin_download.yml | - https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/ |
DRL 1.0 |
sigma | proc_creation_win_bitsadmin_download.yml | - '\bitsadmin.exe' |
DRL 1.0 |
sigma | proc_creation_win_bitsadmin_download.yml | - 'copy bitsadmin.exe' |
DRL 1.0 |
sigma | proc_creation_win_exploit_cve_2020_10189.yml | - '\bitsadmin.exe' |
DRL 1.0 |
sigma | proc_creation_win_mmc_spawn_shell.yml | - '\BITSADMIN' |
DRL 1.0 |
sigma | proc_creation_win_monitoring_for_persistence_via_bits.yml | CommandLine\|re: '(?i).*bitsadmin.*\/SetNotifyCmdLine.*(%COMSPEC%\|cmd.exe\|regsvr32.exe).*' |
DRL 1.0 |
sigma | proc_creation_win_monitoring_for_persistence_via_bits.yml | CommandLine\|re: '(?i).*bitsadmin.*\/Addfile.*(http\|https\|ftp\|ftps):.*' |
DRL 1.0 |
sigma | proc_creation_win_mshta_spawn_shell.yml | - '\BITSADMIN' |
DRL 1.0 |
sigma | proc_creation_win_powershell_bitsjob.yml | title: Suspicious Bitsadmin Job via PowerShell |
DRL 1.0 |
sigma | proc_creation_win_public_folder_parent.yml | - 'bitsadmin' |
DRL 1.0 |
sigma | proc_creation_win_shell_spawn_susp_program.yml | - '\bitsadmin.exe' |
DRL 1.0 |
sigma | proc_creation_win_susp_shell_spawn_by_java.yml | - '\bitsadmin.exe' |
DRL 1.0 |
sigma | proc_creation_win_susp_shell_spawn_by_java_keytool.yml | - '\bitsadmin.exe' |
DRL 1.0 |
sigma | proc_creation_win_susp_shell_spawn_from_mssql.yml | - '\bitsadmin.exe' |
DRL 1.0 |
sigma | proc_creation_win_susp_shell_spawn_from_winrm.yml | - '*\bitsadmin.exe' |
DRL 1.0 |
sigma | proc_creation_win_susp_spoolsv_child_processes.yml | - \bitsadmin.exe |
DRL 1.0 |
sigma | proc_creation_win_webshell_spawn.yml | - '\bitsadmin.exe' |
DRL 1.0 |
LOLBAS | Bitsadmin.yml | Name: Bitsadmin.exe |
|
LOLBAS | Bitsadmin.yml | - Command: bitsadmin /create 1 bitsadmin /addfile 1 c:\windows\system32\cmd.exe c:\data\playfolder\cmd.exe bitsadmin /SetNotifyCmdLine 1 c:\data\playfolder\1.txt:cmd.exe NULL bitsadmin /RESUME 1 bitsadmin /complete 1 |
|
LOLBAS | Bitsadmin.yml | Description: Create a bitsadmin job named 1, add cmd.exe to the job, configure the job to run the target command from an Alternate data stream, then resume and complete the job. |
|
LOLBAS | Bitsadmin.yml | - Command: bitsadmin /create 1 bitsadmin /addfile 1 https://live.sysinternals.com/autoruns.exe c:\data\playfolder\autoruns.exe bitsadmin /RESUME 1 bitsadmin /complete 1 |
|
LOLBAS | Bitsadmin.yml | Description: Create a bitsadmin job named 1, add cmd.exe to the job, configure the job to run the target command, then resume and complete the job. |
|
LOLBAS | Bitsadmin.yml | - Command: bitsadmin /create 1 & bitsadmin /addfile 1 c:\windows\system32\cmd.exe c:\data\playfolder\cmd.exe & bitsadmin /RESUME 1 & bitsadmin /Complete 1 & bitsadmin /reset |
|
LOLBAS | Bitsadmin.yml | - Command: bitsadmin /create 1 & bitsadmin /addfile 1 c:\windows\system32\cmd.exe c:\data\playfolder\cmd.exe & bitsadmin /SetNotifyCmdLine 1 c:\data\playfolder\cmd.exe NULL & bitsadmin /RESUME 1 & bitsadmin /Reset |
|
LOLBAS | Bitsadmin.yml | Description: One-liner that creates a bitsadmin job named 1, add cmd.exe to the job, configure the job to run the target command, then resume and complete the job. |
|
LOLBAS | Bitsadmin.yml | - Path: C:\Windows\System32\bitsadmin.exe |
|
LOLBAS | Bitsadmin.yml | - Path: C:\Windows\SysWOW64\bitsadmin.exe |
|
LOLBAS | Bitsadmin.yml | - IOC: Child process from bitsadmin.exe |
|
LOLBAS | Bitsadmin.yml | - IOC: bitsadmin creates new files |
|
LOLBAS | Bitsadmin.yml | - IOC: bitsadmin adds data to alternate data stream |
|
atomic-red-team | index.md | - Atomic Test #1: Bitsadmin Download (cmd) [windows] | MIT License. © 2018 Red Canary |
atomic-red-team | index.md | - Atomic Test #2: Bitsadmin Download (PowerShell) [windows] | MIT License. © 2018 Red Canary |
atomic-red-team | index.md | - Atomic Test #9: Windows - BITSAdmin BITS Download [windows] | MIT License. © 2018 Red Canary |
atomic-red-team | windows-index.md | - Atomic Test #1: Bitsadmin Download (cmd) [windows] | MIT License. © 2018 Red Canary |
atomic-red-team | windows-index.md | - Atomic Test #2: Bitsadmin Download (PowerShell) [windows] | MIT License. © 2018 Red Canary |
atomic-red-team | windows-index.md | - Atomic Test #9: Windows - BITSAdmin BITS Download [windows] | MIT License. © 2018 Red Canary |
atomic-red-team | T1072.md | bitsadmin /transfer myDownloadJob /download /priority normal “https://www.radmin.com/download/Radmin_Viewer_3.5.2.1_EN.msi” #{radmin_installer} | MIT License. © 2018 Red Canary |
atomic-red-team | T1105.md | - Atomic Test #9 - Windows - BITSAdmin BITS Download | MIT License. © 2018 Red Canary |
atomic-red-team | T1105.md | ## Atomic Test #9 - Windows - BITSAdmin BITS Download | MIT License. © 2018 Red Canary |
atomic-red-team | T1105.md | This test uses BITSAdmin.exe to schedule a BITS job for the download of a file. | MIT License. © 2018 Red Canary |
atomic-red-team | T1105.md | C:\Windows\System32\bitsadmin.exe /transfer #{bits_job_name} /Priority HIGH #{remote_file} #{local_path} | MIT License. © 2018 Red Canary |
atomic-red-team | T1197.md | The interface to create and manage BITS jobs is accessible through PowerShell and the BITSAdmin tool.(Citation: Microsoft BITS)(Citation: Microsoft BITSAdmin) | MIT License. © 2018 Red Canary |
atomic-red-team | T1197.md | - Atomic Test #1 - Bitsadmin Download (cmd) | MIT License. © 2018 Red Canary |
atomic-red-team | T1197.md | - Atomic Test #2 - Bitsadmin Download (PowerShell) | MIT License. © 2018 Red Canary |
atomic-red-team | T1197.md | ## Atomic Test #1 - Bitsadmin Download (cmd) | MIT License. © 2018 Red Canary |
atomic-red-team | T1197.md | This test simulates an adversary leveraging bitsadmin.exe to download | MIT License. © 2018 Red Canary |
atomic-red-team | T1197.md | bitsadmin.exe /transfer /Download /priority Foreground #{remote_file} #{local_file} | MIT License. © 2018 Red Canary |
atomic-red-team | T1197.md | ## Atomic Test #2 - Bitsadmin Download (PowerShell) | MIT License. © 2018 Red Canary |
atomic-red-team | T1197.md | This test simulates an adversary leveraging bitsadmin.exe to schedule a BITS transferand execute a payload in multiple steps. | MIT License. © 2018 Red Canary |
atomic-red-team | T1197.md | bitsadmin.exe /create #{bits_job_name} | MIT License. © 2018 Red Canary |
atomic-red-team | T1197.md | bitsadmin.exe /addfile #{bits_job_name} #{remote_file} #{local_file} | MIT License. © 2018 Red Canary |
atomic-red-team | T1197.md | bitsadmin.exe /setnotifycmdline #{bits_job_name} #{command_path} NULL | MIT License. © 2018 Red Canary |
atomic-red-team | T1197.md | bitsadmin.exe /resume #{bits_job_name} | MIT License. © 2018 Red Canary |
atomic-red-team | T1197.md | bitsadmin.exe /complete #{bits_job_name} | MIT License. © 2018 Red Canary |
atomic-red-team | T1560.001.md | bitsadmin /transfer myDownloadJob /download /priority normal “https://www.win-rar.com/fileadmin/winrar-versions/winrar/th/winrar-x64-580.exe” #{rar_installer} | MIT License. © 2018 Red Canary |
atomic-red-team | T1560.001.md | bitsadmin /transfer myDownloadJob /download /priority normal “https://www.7-zip.org/a/7z2002-x64.exe” #{7zip_installer} | MIT License. © 2018 Red Canary |
signature-base | apt_keyboys.yar | $x1 = “egsvr32.exe "/u bitsadmin /canceft\windows\currebitsadmin” ascii | CC BY-NC 4.0 |
signature-base | gen_github_net_redteam_tools_guids.yar | reference = “https://github.com/bitsadmin/nopowershell” | CC BY-NC 4.0 |
signature-base | gen_github_net_redteam_tools_guids.yar | reference = “https://github.com/bitsadmin/fakelogonscreen” | CC BY-NC 4.0 |
signature-base | gen_recon_indicators.yar | $s13 = “bitsadmin /rawreturn /transfer getfile” ascii | CC BY-NC 4.0 |
signature-base | thor-hacktools.yar | reference = “https://github.com/bitsadmin/nopowershell” | CC BY-NC 4.0 |
Additional Info*
*The information below is copied from MicrosoftDocs, which is maintained by Microsoft. Available under CC BY 4.0 license.
bitsadmin
Applies to: Windows Server 2022, Windows Server 2019, Windows Server 2016, Windows Server 2012 R2, Windows Server 2012, Windows 10
Bitsadmin is a command-line tool used to create, download or upload jobs, and to monitor their progress. The bitsadmin tool uses switches to identify the work to perform. You can call bitsadmin /?
or bitsadmin /help
to get a list of switches.
Most switches require a <job>
parameter, which you set to the job’s display name, or GUID. A job’s display name doesn’t have to be unique. The /create and /list switches return a job’s GUID.
By default, you can access information about your own jobs. To access information for another user’s jobs, you must have administrator privileges. If the job was created in an elevated state, then you must run bitsadmin from an elevated window; otherwise, you’ll have read-only access to the job.
Many of the switches correspond to methods in the BITS interfaces. For additional details that may be relevant to using a switch, see the corresponding method.
Use the following switches to create a job, set and retrieve the properties of a job, and monitor the status of a job. For examples that show how to use some of these switches to perform tasks, see bitsadmin examples.
Available switches
- bitsadmin /addfile
- bitsadmin /addfileset
- bitsadmin /addfilewithranges
- bitsadmin /cache
- bitsadmin /cache /delete
- bitsadmin /cache /deleteurl
- bitsadmin /cache /getexpirationtime
- bitsadmin /cache /getlimit
- bitsadmin /cache /help
- bitsadmin /cache /info
- bitsadmin /cache /list
- bitsadmin /cache /setexpirationtime
- bitsadmin /cache /setlimit
- bitsadmin /cache /clear
- bitsadmin /cancel
- bitsadmin /complete
- bitsadmin /create
- bitsadmin /examples
- bitsadmin /getaclflags
- bitsadmin /getbytestotal
- bitsadmin /getbytestransferred
- bitsadmin /getclientcertificate
- bitsadmin /getcompletiontime
- bitsadmin /getcreationtime
- bitsadmin /getcustomheaders
- bitsadmin /getdescription
- bitsadmin /getdisplayname
- bitsadmin /geterror
- bitsadmin /geterrorcount
- bitsadmin /getfilestotal
- bitsadmin /getfilestransferred
- bitsadmin /gethelpertokenflags
- bitsadmin /gethelpertokensid
- bitsadmin /gethttpmethod
- bitsadmin /getmaxdownloadtime
- bitsadmin /getminretrydelay
- bitsadmin /getmodificationtime
- bitsadmin /getnoprogresstimeout
- bitsadmin /getnotifycmdline
- bitsadmin /getnotifyflags
- bitsadmin /getnotifyinterface
- bitsadmin /getowner
- bitsadmin /getpeercachingflags
- bitsadmin /getpriority
- bitsadmin /getproxybypasslist
- bitsadmin /getproxylist
- bitsadmin /getproxyusage
- bitsadmin /getreplydata
- bitsadmin /getreplyfilename
- bitsadmin /getreplyprogress
- bitsadmin /getsecurityflags
- bitsadmin /getstate
- bitsadmin /gettemporaryname
- bitsadmin /gettype
- bitsadmin /getvalidationstate
- bitsadmin /help
- bitsadmin /info
- bitsadmin /list
- bitsadmin /listfiles
- bitsadmin /makecustomheaderswriteonly
- bitsadmin /monitor
- bitsadmin /nowrap
- bitsadmin /peercaching
- bitsadmin /peercaching /getconfigurationflags
- bitsadmin /peercaching /help
- bitsadmin /peercaching /setconfigurationflags
- bitsadmin /peers
- bitsadmin /peers /clear
- bitsadmin /peers /discover
- bitsadmin /peers /help
- bitsadmin /peers /list
- bitsadmin /rawreturn
- bitsadmin /removeclientcertificate
- bitsadmin /removecredentials
- bitsadmin /replaceremoteprefix
- bitsadmin /reset
- bitsadmin /resume
- bitsadmin /setaclflag
- bitsadmin /setclientcertificatebyid
- bitsadmin /setclientcertificatebyname
- bitsadmin /setcredentials
- bitsadmin /setcustomheaders
- bitsadmin /setdescription
- bitsadmin /setdisplayname
- bitsadmin /sethelpertoken
- bitsadmin /sethelpertokenflags
- bitsadmin /sethttpmethod
- bitsadmin /setmaxdownloadtime
- bitsadmin /setminretrydelay
- bitsadmin /setnoprogresstimeout
- bitsadmin /setnotifycmdline
- bitsadmin /setnotifyflags
- bitsadmin /setpeercachingflags
- bitsadmin /setpriority
- bitsadmin /setproxysettings
- bitsadmin /setreplyfilename
- bitsadmin /setsecurityflags
- bitsadmin /setvalidationstate
- bitsadmin /suspend
- bitsadmin /takeownership
- bitsadmin /transfer
- bitsadmin /util
- bitsadmin /util /enableanalyticchannel
- bitsadmin /util /getieproxy
- bitsadmin /util /help
- bitsadmin /util /repairservice
- bitsadmin /util /setieproxy
- bitsadmin /util /version
- bitsadmin /wrap
MIT License. Copyright (c) 2020-2021 Strontic.