BITSAdmin
ID: S0190
ⓘ
Type: TOOL
ⓘ
Platforms: Windows
Contributors: Edward Millington
Version: 1.4
Created: 18 April 2018
Last Modified: 16 April 2025
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1197 | BITS Jobs | BITSAdmin can be used to createBITS Jobs to launch a malicious process.[2] | |
| Enterprise | T1048 | .003 | Exfiltration Over Alternative Protocol:Exfiltration Over Unencrypted Non-C2 Protocol | BITSAdmin can be used to createBITS Jobs to upload files from a compromised host.[1] |
| Enterprise | T1105 | Ingress Tool Transfer | BITSAdmin can be used to createBITS Jobs to upload and/or download files.[1] | |
| Enterprise | T1570 | Lateral Tool Transfer | BITSAdmin can be used to createBITS Jobs to upload and/or download files from SMB file servers.[3] | |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0102 | Wizard Spider | |
| G0096 | APT41 | |
| G1034 | Daggerfly | Daggerfly has usedBITSAdmin to retrieve files from remote locations to run on victim systems.[6] |
| G1001 | HEXANE | |
| G0065 | Leviathan | |
| G1046 | Storm-1811 | Storm-1811 has usedBITSAdmin to download payloads.[9][10] |
| G0081 | Tropic Trooper | |
| G0137 | Ferocious Kitten |
References
- Microsoft. (n.d.). BITSAdmin Tool. Retrieved January 12, 2018.
- Horejsi, J., et al. (2018, March 14). Tropic Trooper’s New Strategy. Retrieved November 9, 2018.
- Microsoft. (2019, July 12). About BITS. Retrieved March 16, 2020.
- Shilko, J., et al. (2021, October 7). FIN12: The Prolific Ransomware Intrusion Threat Actor That Has Aggressively Pursued Healthcare Targets. Retrieved June 15, 2023.
- Glyer, C, et al. (2020, March). This Is Not a Test: APT41 Initiates Global Intrusion Campaign Using Multiple Exploits. Retrieved April 28, 2020.
- Threat Hunter Team. (2023, April 20). Daggerfly: APT Actor Targets Telecoms Company in Africa. Retrieved July 25, 2024.
- Kayal, A. et al. (2021, October). LYCEUM REBORN: COUNTERINTELLIGENCE IN THE MIDDLE EAST. Retrieved June 14, 2022.
- FireEye. (2018, March 16). Suspected Chinese Cyber Espionage Group (TEMP.Periscope) Targeting U.S. Engineering and Maritime Industries. Retrieved April 11, 2018.
- Microsoft Threat Intelligence. (2024, May 15). Threat actors misusing Quick Assist in social engineering attacks leading to ransomware. Retrieved March 14, 2025.
- The Red Canary Team. (2024, June 20). Intelligence Insights: June 2024. Retrieved March 14, 2025.
- GReAT. (2021, June 16). Ferocious Kitten: 6 Years of Covert Surveillance in Iran. Retrieved September 22, 2021.
×