What starting position does this attack require?

The first step is Initial shell via phishing payload (T1078) — a initial access primitive. Assumed environment: foothold on a Windows endpoint where macro execution is blocked but the user can run cmd / batch scripts.

What is the final impact of this kill-chain?

The final step lands on bitsadmin /transfer beacon.exe (LOL-BITSADMIN), which falls under Command and Control. From here, an operator typically pivots into post-exploitation or maintains persistence.

How can defenders detect or prevent this attack?

Detection and prevention vary per step. Refer to each linked MITRE ATT&CK entry under "References" — every technique on that page lists defensive controls, detection telemetry, and known threat-actor usage.

← RegistryDossier · 6 steps · 5 edges

Approved

certutil + bitsadmin → AV-friendly stager chain

Initial access dropped a tiny .bat. It uses certutil to decode a base64 blob and bitsadmin to fetch the real beacon, then schtasks for persistence. Every binary is signed Microsoft.

Filed by AD Knowledge BasePublished 2026-05-26

§ Kill-chainDrag · zoom · scroll

Initial Access

Initial shell via phishing payload

T1078 · Valid Accounts

Execution

Execute beacon

T1059 · Command and Scripting Interpreter

Command and Control

C2 beacon established

T1071 · Application Layer Protocol

Persistence

schtasks /create persistence

W-SCHEDTASK-HIJACK · Scheduled Task Hijack

Command and Control

certutil -decode encoded blob

LOL-CERTUTIL · certutil.exe Download / Decode

Command and Control

bitsadmin /transfer beacon.exe

LOL-BITSADMIN · bitsadmin.exe Background Transfer

§ Context

Assumed environment: foothold on a Windows endpoint where macro execution is blocked but the user can run cmd / batch scripts. AV detects raw `powershell -nop -w hidden iwr` patterns.

§ Steps

01
Initial shell via phishing payloadInitial Access
T1078— Valid Accounts
02
Execute beaconExecution
T1059— Command and Scripting Interpreter
03
C2 beacon establishedCommand and Control
T1071— Application Layer Protocol
04
schtasks /create persistencePersistence
W-SCHEDTASK-HIJACK— Scheduled Task Hijack
05
certutil -decode encoded blobCommand and Control
LOL-CERTUTIL— certutil.exe Download / Decode
06
bitsadmin /transfer beacon.exeCommand and Control
LOL-BITSADMIN— bitsadmin.exe Background Transfer

§ References

§ Frequently asked

What is the "certutil + bitsadmin → AV-friendly stager chain" attack path?: Initial access dropped a tiny .bat. It uses certutil to decode a base64 blob and bitsadmin to fetch the real beacon, then schtasks for persistence. Every binary is signed Microsoft. It chains 6 steps drawn from real-world offensive-security techniques.
What starting position does this attack require?: The first step is Initial shell via phishing payload (T1078) — a initial access primitive. Assumed environment: foothold on a Windows endpoint where macro execution is blocked but the user can run cmd / batch scripts.
What is the final impact of this kill-chain?: The final step lands on bitsadmin /transfer beacon.exe (LOL-BITSADMIN), which falls under Command and Control. From here, an operator typically pivots into post-exploitation or maintains persistence.
How can defenders detect or prevent this attack?: Detection and prevention vary per step. Refer to each linked MITRE ATT&CK entry under "References" — every technique on that page lists defensive controls, detection telemetry, and known threat-actor usage.

certutil + bitsadmin → AV-friendly stager chain

§ Context

§ Steps

§ References

§ Frequently asked

§ Related dossiers

USB drop in parking lot → HID payload → C2

io_uring UAF → modprobe_path overwrite → root

nf_tables UAF → kernel R/W → root

BYOVD → kernel-level disable of EDR callbacks

Build-system implant → signed supply-chain backdoor (SolarWinds-class)

AMSI patch → in-memory .NET / PowerShell stager