infosecn1nja
/
LOLBAS
mirror of https://github.com/infosecn1nja/LOLBAS.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
LOLBAS/OSBinaries/Bitsadmin.md

49 lines
1.3 KiB
Markdown
Raw Normal View History

Bitsadmin.exe
2018-05-07 11:58:43 +00:00
## Bitsadmin.exe
* Functions: Execute, Download, Copy, Read ADS
```
bitsadmin /create 1
bitsadmin /addfile 1 c:\windows\system32\cmd.exe c:\data\playfolder\cmd.exe
bitsadmin /SetNotifyCmdLine 1 c:\data\playfolder\1.txt:cmd.exe NULL
bitsadmin /RESUME 1
bitsadmin /complete 1
bitsadmin /create 1
bitsadmin /addfile 1 https://live.sysinternals.com/autoruns.exe c:\data\playfolder\autoruns.exe
bitsadmin /RESUME 1
bitsadmin /complete 1
bitsadmin /create 1 & bitsadmin /addfile 1 c:\windows\system32\cmd.exe c:\data\playfolder\cmd.exe & bitsadmin /RESUME 1 & bitsadmin /Complete 1 & bitsadmin /reset
Added Bitsadmin.exe example
2018-05-07 12:07:52 +00:00
bitsadmin /create 1 & bitsadmin /addfile 1 c:\windows\system32\cmd.exe c:\data\playfolder\cmd.exe & bitsadmin /SetNotifyCmdLine 1 c:\data\playfolder\1.txt:cmd.exe NULL & bitsadmin /RESUME 1 & bitsadmin /Reset
Bitsadmin.exe
2018-05-07 11:58:43 +00:00
```
Acknowledgements:
* Rob Fuller - @mubix
* Chris Gates - @carnal0wnage
* Oddvar Moe - @oddvarmoe
Code sample:
*
Resources:
* https://www.slideshare.net/chrisgates/windows-attacks-at-is-the-new-black-26672679 - Slide 53
* https://www.youtube.com/watch?v=_8xJaaQlpBo
* https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f
Full path:
```
c:\windows\system32\bitsadmin.exe
c:\windows\sysWOW64\bitsadmin.exe
```
Notes:
Minor modifications: * Can only get bitsadmin to work with regular user. Testing from a webshell doesn't work * Replace syntax seems to only function for webdav, as the referenced source implies * Syncapp powershell syntax errors: extra (, no terminating "
2018-05-16 16:07:17 +00:00
* Requires active user (doesn't work from a web shell)
Bitsadmin.exe
2018-05-07 11:58:43 +00:00
Detection: