1. Home
  2. Software
  3. BITSAdmin

BITSAdmin

BITSAdmin is a command line tool used to create and manage BITS Jobs. [1]

ID: S0190
Type: TOOL
Platforms: Windows
Contributors: Edward Millington
Version: 1.4
Created: 18 April 2018
Last Modified: 16 April 2025
Version Permalink
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1197 BITS Jobs

BITSAdmin can be used to create BITS Jobs to launch a malicious process.[2]
Enterprise T1048 .003 Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted Non-C2 Protocol

BITSAdmin can be used to create BITS Jobs to upload files from a compromised host.[1]
Enterprise T1105 Ingress Tool Transfer

BITSAdmin can be used to create BITS Jobs to upload and/or download files.[1]
Enterprise T1570 Lateral Tool Transfer

BITSAdmin can be used to create BITS Jobs to upload and/or download files from SMB file servers.[3]

Groups That Use This Software

ID Name References
G0102 Wizard Spider

[4]
G0096 APT41

[5]
G1034 Daggerfly

Daggerfly has used BITSAdmin to retrieve files from remote locations to run on victim systems.[6]
G1001 HEXANE

[7]
G0065 Leviathan

[8]
G1046 Storm-1811

Storm-1811 has used BITSAdmin to download payloads.[9][10]
G0081 Tropic Trooper

[2]
G0137 Ferocious Kitten

[11]

References

  1. Microsoft. (n.d.). BITSAdmin Tool. Retrieved January 12, 2018.
  2. Horejsi, J., et al. (2018, March 14). Tropic Trooper’s New Strategy. Retrieved November 9, 2018.
  3. Microsoft. (2019, July 12). About BITS. Retrieved March 16, 2020.
  4. Shilko, J., et al. (2021, October 7). FIN12: The Prolific Ransomware Intrusion Threat Actor That Has Aggressively Pursued Healthcare Targets. Retrieved June 15, 2023.
  5. Glyer, C, et al. (2020, March). This Is Not a Test: APT41 Initiates Global Intrusion Campaign Using Multiple Exploits. Retrieved April 28, 2020.
  6. Threat Hunter Team. (2023, April 20). Daggerfly: APT Actor Targets Telecoms Company in Africa. Retrieved July 25, 2024.
  1. Kayal, A. et al. (2021, October). LYCEUM REBORN: COUNTERINTELLIGENCE IN THE MIDDLE EAST. Retrieved June 14, 2022.
  2. FireEye. (2018, March 16). Suspected Chinese Cyber Espionage Group (TEMP.Periscope) Targeting U.S. Engineering and Maritime Industries. Retrieved April 11, 2018.
  3. Microsoft Threat Intelligence. (2024, May 15). Threat actors misusing Quick Assist in social engineering attacks leading to ransomware. Retrieved March 14, 2025.
  4. The Red Canary Team. (2024, June 20). Intelligence Insights: June 2024. Retrieved March 14, 2025.
  5. GReAT. (2021, June 16). Ferocious Kitten: 6 Years of Covert Surveillance in Iran. Retrieved September 22, 2021.