module
Windows Persistence Bits Job
| Disclosed | Created |
|---|---|
| Oct 1, 2001 | Apr 15, 2026 |
Disclosed
Oct 1, 2001
Created
Apr 15, 2026
Description
This module establishes persistence through a BITS job that
downloads and executes a payload. Background Intelligent Transfer Service
(BITS) is a Windows service for transferring files in the background
using idle network bandwidth. BITS jobs are persistent and will resume
across reboots until completed or cancelled.
BITS does not include a timing mechanism for when jobs are run, so we control that
in how we respond to the HTTP requests from the BITS client. This avoids needing
to set up an external trigger to start the job like a scheduled task or similar.
Similarily, BITS jobs are somewhat clock agnostic, so while we can set some
time parameters, the aren't a guarantee of when the job will actually run.
Jobs that we've idled via HTTP server response will have a "CONNECTING" status.
BITS is fickle about the HTTP responses it expects, so we have to be precise in
how the server responds. For a HEAD request we need to send back a correct
Content-Length header matching the payload size, but with no body. For GET requests
we need to handle byte range requests properly (althought not always used),
sending back the appropriate
Content-Range headers. If we respond incorrectly BITS may error out or retry
in unexpected ways. However, we can trick BITS into not getting the payload until
we want by responding to the GET requests with no body (aka how we responded to
the HEAD requests) until our delay time has reached.
downloads and executes a payload. Background Intelligent Transfer Service
(BITS) is a Windows service for transferring files in the background
using idle network bandwidth. BITS jobs are persistent and will resume
across reboots until completed or cancelled.
BITS does not include a timing mechanism for when jobs are run, so we control that
in how we respond to the HTTP requests from the BITS client. This avoids needing
to set up an external trigger to start the job like a scheduled task or similar.
Similarily, BITS jobs are somewhat clock agnostic, so while we can set some
time parameters, the aren't a guarantee of when the job will actually run.
Jobs that we've idled via HTTP server response will have a "CONNECTING" status.
BITS is fickle about the HTTP responses it expects, so we have to be precise in
how the server responds. For a HEAD request we need to send back a correct
Content-Length header matching the payload size, but with no body. For GET requests
we need to handle byte range requests properly (althought not always used),
sending back the appropriate
Content-Range headers. If we respond incorrectly BITS may error out or retry
in unexpected ways. However, we can trick BITS into not getting the payload until
we want by responding to the GET requests with no body (aka how we responded to
the HEAD requests) until our delay time has reached.
Author
h00die
Platform
Windows
Architectures
x86, x64
References
Module Options
To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':
Rapid7 Labs
2026 Global Threat Landscape Report
The predictive window has collapsed. Exploitation follows disclosure in days. See how attackers are accelerating and how to stay ahead.