BITSAdmin Attack Flow

Interactive walkthrough of a BITSAdmin-based attack chain. Shows how the Windows BITS service is abused for payload delivery, persistence, and defense evasion using a signed Microsoft binary.

By Mohamed Habib Jaouadi•December 1, 2025•

Post Related

#lolbas

#bitsadmin

#living-off-the-land

#persistence

#defense-evasion

#windows

BITSAdmin Attack Flow: KEGTAP Ransomware Delivery

How attackers abuse Background Intelligent Transfer Service (BITS) for persistence and malware deployment

Step 1

Initial Compromise

Victim system is infected with BazarLoader malware

Step 2

BITS Job Creation

KEGTAP creates a malicious BITS job with specific parameters

Step 3

Add Fake Transfer

Configure job to download from non-existent localhost resource

Step 4

Set Notification Handler

Configure command to execute when job encounters error state

Step 5

Resume Job

Start the BITS job, triggering the download attempt

Step 6

Download Fails (By Design)

Job attempts localhost download, fails as expected, enters error state

Step 7

Error Triggers Notification

Error state triggers SetNotifyCmdLine, executing KEGTAP

Step 8

Malware Deployment

KEGTAP fetches and deploys final payload (Cobalt Strike, Ryuk, etc.)

BITSADMIN_CONSOLE

SESSION_0

C:\>bitsadmin /list /allusers

Select an attack step to view console simulation...

C:\>

Why This Technique Is Effective

BITS is a legitimate Windows service used by Windows Update
The actual malware download occurs after the BITS job triggers
BITS job appears to download from localhost, not external C2
Persistence survives reboots and cleanup attempts