diff --git a/atomics/T1105/T1105.md b/atomics/T1105/T1105.md
index f7915bdf..4bd3477f 100644
--- a/atomics/T1105/T1105.md
+++ b/atomics/T1105/T1105.md
@@ -22,6 +22,8 @@ Adversaries may also copy files laterally between internal victim systems to sup
- [Atomic Test #8 - certutil download (verifyctl)](#atomic-test-8---certutil-download-verifyctl)
+- [Atomic Test #9 - Windows - BITSAdmin BITS Download](#atomic-test-9---windows---bitsadmin-bits-download)
+
@@ -191,3 +193,24 @@ certutil -verifyctl -split -f #{remote_file}
Get-ChildItem | Where-Object {$_.Name -notlike "*.txt"} | Foreach-Object { Move-Item $_.Name -Destination #{local_path} }
```
+
+
+## Atomic Test #9 - Windows - BITSAdmin BITS Download
+This test uses BITSAdmin.exe to schedule a BITS job for the download of a file.
+This technique is used by Qbot malware to download payloads.
+
+**Supported Platforms:** Windows
+
+
+#### Inputs
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| bits_job_name | Name of the created BITS job | String | qcxjb7|
+| remote_file | URL of file to copy | Url | https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/LICENSE.txt|
+| local_path | Local path to place file | Path | Atomic-license.txt|
+
+#### Run it with `command_prompt`!
+```
+C:\Windows\System32\bitsadmin.exe /transfer #{bits_job_name} /Priority HIGH #{remote_file} #{local_path}
+```
+
diff --git a/atomics/index.md b/atomics/index.md
index e4c752cf..28414e78 100644
--- a/atomics/index.md
+++ b/atomics/index.md
@@ -668,6 +668,7 @@
- Atomic Test #6: sftp remote file copy (pull) [linux, macos]
- Atomic Test #7: certutil download (urlcache) [windows]
- Atomic Test #8: certutil download (verifyctl) [windows]
+ - Atomic Test #9: Windows - BITSAdmin BITS Download [windows]
- T1021 Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1091 Replication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1184 SSH Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
@@ -767,6 +768,7 @@
- Atomic Test #6: sftp remote file copy (pull) [linux, macos]
- Atomic Test #7: certutil download (urlcache) [windows]
- Atomic Test #8: certutil download (verifyctl) [windows]
+ - Atomic Test #9: Windows - BITSAdmin BITS Download [windows]
- [T1071 Standard Application Layer Protocol](./T1071/T1071.md)
- Atomic Test #1: Malicious User Agents [windows]
- Atomic Test #2: Malicious User Agents - Nix [linux, macos]
diff --git a/atomics/index.yaml b/atomics/index.yaml
index 8227e8ea..19e897a0 100644
--- a/atomics/index.yaml
+++ b/atomics/index.yaml
@@ -19037,6 +19037,29 @@ lateral-movement:
Set-Location $datePath
certutil -verifyctl -split -f #{remote_file}
Get-ChildItem | Where-Object {$_.Name -notlike "*.txt"} | Foreach-Object { Move-Item $_.Name -Destination #{local_path} }
+ - name: Windows - BITSAdmin BITS Download
+ description: |
+ This test uses BITSAdmin.exe to schedule a BITS job for the download of a file.
+ This technique is used by Qbot malware to download payloads.
+ supported_platforms:
+ - windows
+ input_arguments:
+ bits_job_name:
+ description: Name of the created BITS job
+ type: String
+ default: qcxjb7
+ remote_file:
+ description: URL of file to copy
+ type: Url
+ default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/LICENSE.txt
+ local_path:
+ description: Local path to place file
+ type: Path
+ default: Atomic-license.txt
+ executor:
+ name: command_prompt
+ command: 'C:\Windows\System32\bitsadmin.exe /transfer #{bits_job_name} /Priority
+ HIGH #{remote_file} #{local_path}'
T1077:
technique:
external_references:
@@ -20959,6 +20982,29 @@ command-and-control:
Set-Location $datePath
certutil -verifyctl -split -f #{remote_file}
Get-ChildItem | Where-Object {$_.Name -notlike "*.txt"} | Foreach-Object { Move-Item $_.Name -Destination #{local_path} }
+ - name: Windows - BITSAdmin BITS Download
+ description: |
+ This test uses BITSAdmin.exe to schedule a BITS job for the download of a file.
+ This technique is used by Qbot malware to download payloads.
+ supported_platforms:
+ - windows
+ input_arguments:
+ bits_job_name:
+ description: Name of the created BITS job
+ type: String
+ default: qcxjb7
+ remote_file:
+ description: URL of file to copy
+ type: Url
+ default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/LICENSE.txt
+ local_path:
+ description: Local path to place file
+ type: Path
+ default: Atomic-license.txt
+ executor:
+ name: command_prompt
+ command: 'C:\Windows\System32\bitsadmin.exe /transfer #{bits_job_name} /Priority
+ HIGH #{remote_file} #{local_path}'
T1071:
technique:
external_references:
diff --git a/atomics/windows-index.md b/atomics/windows-index.md
index 5dfcff89..01ace0e9 100644
--- a/atomics/windows-index.md
+++ b/atomics/windows-index.md
@@ -387,6 +387,7 @@
- [T1105 Remote File Copy](./T1105/T1105.md)
- Atomic Test #7: certutil download (urlcache) [windows]
- Atomic Test #8: certutil download (verifyctl) [windows]
+ - Atomic Test #9: Windows - BITSAdmin BITS Download [windows]
- T1021 Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1091 Replication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1051 Shared Webroot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
@@ -538,6 +539,7 @@
- [T1105 Remote File Copy](./T1105/T1105.md)
- Atomic Test #7: certutil download (urlcache) [windows]
- Atomic Test #8: certutil download (verifyctl) [windows]
+ - Atomic Test #9: Windows - BITSAdmin BITS Download [windows]
- [T1071 Standard Application Layer Protocol](./T1071/T1071.md)
- Atomic Test #1: Malicious User Agents [windows]
- T1032 Standard Cryptographic Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)