T1197

BITS Jobs

Adversaries may abuse Windows Background Intelligent Transfer Service (BITS) jobs to persistently execute code and perform background tasks such as downloading malicious payloads, executing arbitrary programs on job completion or error, and cleaning up artifacts. BITS is a COM-based file transfer mechanism built into Windows, commonly used by Windows Update and software installers. Adversaries exploit it via bitsadmin.exe or PowerShell BITS cmdlets to download tools from external infrastructure, achieve persistence using /SetNotifyCmdLine to invoke arbitrary executables when a job completes or errors (including after reboots), and exfiltrate data. BITS jobs are stored in a binary database (%ALLUSERSPROFILE%\Microsoft\Network\Downloader\) rather than in registry or filesystem, making them resistant to many persistence-focused detections. Active threat groups including APT39, APT41, Leviathan, Patchwork, and Wizard Spider have leveraged BITS for payload delivery and persistence.

Microsoft Sentinel / Defender

kusto

let SuspiciousDestinations = dynamic([
  "\\AppData\\Local\\Temp\\", "\\AppData\\Roaming\\",
  "\\Users\\Public\\", "\\ProgramData\\",
  "\\Windows\\Temp\\", "C:\\Temp\\"
]);
let SuspiciousExtensions = dynamic([
  ".exe", ".dll", ".ps1", ".bat", ".cmd", ".vbs", ".js", ".hta"
]);
let BitsBinaryPatterns = dynamic([
  "/transfer", "/create", "/addfile", "/SetNotifyCmdLine",
  "/SetNotifyFlags", "/resume", "/complete", "/reset",
  "Start-BitsTransfer", "New-BitsTransfer", "Add-BitsFile"
]);
// Branch 1: bitsadmin.exe execution with suspicious arguments
let BitsAdminExec = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName =~ "bitsadmin.exe"
| extend HasNotify = ProcessCommandLine has_any ("/SetNotifyCmdLine", "/SetNotifyFlags")
| extend HasTransfer = ProcessCommandLine has_any ("/transfer", "/addfile")
| extend HasReset = ProcessCommandLine has "/reset"
| extend SuspiciousDest = ProcessCommandLine has_any (SuspiciousDestinations)
| extend SuspiciousExt = ProcessCommandLine has_any (SuspiciousExtensions)
| extend DownloadFromExternal = ProcessCommandLine matches regex @"https?://(?!.*\.microsoft\.com|.*\.windowsupdate\.com|.*\.windows\.com)[^\s]+"
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
          InitiatingProcessFileName, InitiatingProcessCommandLine,
          HasNotify, HasTransfer, HasReset, SuspiciousDest, SuspiciousExt, DownloadFromExternal,
          DetectionBranch = "BitsAdmin"
| where HasNotify or HasTransfer or (SuspiciousDest and SuspiciousExt) or DownloadFromExternal;
// Branch 2: PowerShell BITS cmdlets
let PowerShellBits = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName in~ ("powershell.exe", "pwsh.exe")
| where ProcessCommandLine has_any ("Start-BitsTransfer", "New-BitsTransfer", "Add-BitsFile", "Get-BitsTransfer", "Set-BitsTransfer")
| extend SuspiciousDest = ProcessCommandLine has_any (SuspiciousDestinations)
| extend SuspiciousExt = ProcessCommandLine has_any (SuspiciousExtensions)
| extend DownloadFromExternal = ProcessCommandLine matches regex @"https?://(?!.*\.microsoft\.com|.*\.windowsupdate\.com|.*\.windows\.com)[^\s]+"
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
          InitiatingProcessFileName, InitiatingProcessCommandLine,
          HasNotify = tobool(ProcessCommandLine has_any ("SetNotifyCmdLine", "Notify")),
          HasTransfer = true, HasReset = false,
          SuspiciousDest, SuspiciousExt, DownloadFromExternal,
          DetectionBranch = "PowerShellBITS"
| where SuspiciousDest or DownloadFromExternal or SuspiciousExt;
// Union both branches
union BitsAdminExec, PowerShellBits
| sort by Timestamp desc

high severity high confidence

Data Sources

Process: Process Creation Command: Command Execution Microsoft Defender for Endpoint

Required Tables

DeviceProcessEvents

False Positives

Windows Update and Microsoft patching infrastructure using bitsadmin.exe or BITS service legitimately — typically originating from TrustedInstaller or SYSTEM account downloading from *.windowsupdate.com
Software deployment tools (SCCM/ConfigMgr, Intune) using BITS for package distribution — parent process is usually CcmExec.exe or IntuneManagementExtension.exe
Third-party software updaters (e.g., antivirus updates, browser updaters) that leverage BITS for bandwidth-friendly background downloads
IT automation scripts using Start-BitsTransfer for legitimate large file transfers to user-accessible shares or deployment directories
Developer workstations where CI/CD pipelines or build tools invoke bitsadmin.exe for artifact retrieval

Splunk

spl

index=wineventlog
(
  (sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
   (Image="*\\bitsadmin.exe" OR Image="*\\powershell.exe" OR Image="*\\pwsh.exe"))
  OR
  (sourcetype="WinEventLog:Microsoft-Windows-Bits-Client" (EventCode=59 OR EventCode=3 OR EventCode=16))
)
| eval CommandLine=coalesce(CommandLine, ProcessCommandLine, "")
| eval Image=coalesce(Image, "")
| eval IsBitsAdmin=if(match(Image, "(?i)bitsadmin\.exe$"), 1, 0)
| eval IsPowerShell=if(match(Image, "(?i)(powershell|pwsh)\.exe$"), 1, 0)
| eval HasNotify=if(match(lower(CommandLine), "(/setnotifycmdline|/setnotifyflags)"), 1, 0)
| eval HasTransfer=if(match(lower(CommandLine), "(/transfer|/addfile|start-bitstransfer|new-bitstransfer|add-bitsfile)"), 1, 0)
| eval HasReset=if(match(lower(CommandLine), "/reset"), 1, 0)
| eval SuspiciousDest=if(match(lower(CommandLine), "(\\\\appdata\\\\|\\\\users\\\\public\\\\|\\\\programdata\\\\|\\\\windows\\\\temp\\\\|c:\\\\temp\\\\)"), 1, 0)
| eval SuspiciousExt=if(match(lower(CommandLine), "\.(exe|dll|ps1|bat|cmd|vbs|js|hta)(\s|$|'|\")"), 1, 0)
| eval ExternalDownload=if(match(CommandLine, "https?://(?!(.*\.microsoft\.com|.*\.windowsupdate\.com|.*\.windows\.com))"), 1, 0)
| eval SuspicionScore=HasNotify + HasTransfer + SuspiciousDest + SuspiciousExt + ExternalDownload
| where (IsBitsAdmin=1 OR IsPowerShell=1) AND SuspicionScore >= 1
| table _time, host, User, Image, CommandLine, ParentImage, ParentCommandLine,
        HasNotify, HasTransfer, HasReset, SuspiciousDest, SuspiciousExt, ExternalDownload, SuspicionScore
| sort - SuspicionScore, - _time

high severity high confidence

Data Sources

Process: Process Creation Command: Command Execution Sysmon Event ID 1 Microsoft-Windows-Bits-Client EventID 59, 3, 16

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational WinEventLog:Microsoft-Windows-Bits-Client

False Positives

Windows Update infrastructure downloading patches via BITS — origin account is SYSTEM or NT AUTHORITY\NETWORK SERVICE downloading from *.windowsupdate.com or *.delivery.mp.microsoft.com
SCCM/ConfigMgr content distribution using BITS — parent is CcmExec.exe with destination in %WINDIR%\ccmcache\
Third-party antivirus or endpoint agents using BITS for signature or definition updates
Legitimate IT scripts using Start-BitsTransfer for scheduled large-file backups or software distribution
Developer tools or package managers invoking BITS as a transport mechanism for binary downloads from known-good registries

Elastic Security (EQL)

eql

sequence by host.name with maxspan=5m
  [process where event.type == "start" and
   (
     (process.name : "bitsadmin.exe" and
      (
        process.args : ("/SetNotifyCmdLine", "/SetNotifyFlags", "/transfer", "/addfile", "/reset") or
        process.command_line regex~ "https?://(?!(.*\.microsoft\.com|.*\.windowsupdate\.com|.*\.windows\.com))" or
        process.command_line : ("*\\AppData\\Local\\Temp\\*", "*\\AppData\\Roaming\\*", "*\\Users\\Public\\*", "*\\ProgramData\\*", "*\\Windows\\Temp\\*", "*C:\\Temp\\*") or
        process.command_line : ("*.exe*", "*.dll*", "*.ps1*", "*.bat*", "*.cmd*", "*.vbs*", "*.js*", "*.hta*")
      )
     ) or
     (process.name : ("powershell.exe", "pwsh.exe") and
      process.command_line : ("*Start-BitsTransfer*", "*New-BitsTransfer*", "*Add-BitsFile*", "*Get-BitsTransfer*", "*Set-BitsTransfer*") and
      (
        process.command_line : ("*\\AppData\\*", "*\\Users\\Public\\*", "*\\ProgramData\\*", "*\\Windows\\Temp\\*") or
        process.command_line regex~ "https?://(?!(.*\.microsoft\.com|.*\.windowsupdate\.com|.*\.windows\.com))" or
        process.command_line : ("*.exe*", "*.dll*", "*.ps1*", "*.bat*", "*.hta*")
      )
     )
   )
  ]

high severity high confidence

Data Sources

Elastic Endpoint Security Elastic Agent (Windows) Winlogbeat with Sysmon

Required Tables

logs-endpoint.events.process-* winlogbeat-*

False Positives

Windows Update and Windows Defender use bitsadmin.exe or BITS transfers legitimately to download updates from microsoft.com and windowsupdate.com domains — these are excluded by the domain filter but verify initiating process context
Enterprise software deployment tools (SCCM, Intune, PDQ Deploy) may use BITS to distribute packages to ProgramData or other directories — correlate with known software deployment windows
Developers and IT administrators running Start-BitsTransfer in PowerShell scripts for legitimate file transfers to standard working directories — review initiating user account and parent process

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
  logsourcename(logsourceid) AS log_source,
  "username",
  "sourceip",
  "Process Name" AS image,
  "Command" AS command_line,
  "Parent Process Name" AS parent_image,
  CASE
    WHEN LOWER("Command") MATCHES '(/setnotifycmdline|/setnotifyflags)' THEN 1 ELSE 0
  END AS has_notify,
  CASE
    WHEN LOWER("Command") MATCHES '(/transfer|/addfile|start-bitstransfer|new-bitstransfer|add-bitsfile)' THEN 1 ELSE 0
  END AS has_transfer,
  CASE
    WHEN LOWER("Command") MATCHES '(\\appdata\\|\\users\\public\\|\\programdata\\|\\windows\\temp\\|c:\\temp\\)' THEN 1 ELSE 0
  END AS suspicious_dest,
  CASE
    WHEN LOWER("Command") MATCHES '\.(exe|dll|ps1|bat|cmd|vbs|js|hta)(\s|$)' THEN 1 ELSE 0
  END AS suspicious_ext,
  CASE
    WHEN "Command" MATCHES 'https?://' AND NOT "Command" MATCHES '(microsoft\.com|windowsupdate\.com|windows\.com)' THEN 1 ELSE 0
  END AS external_download,
  (
    CASE WHEN LOWER("Command") MATCHES '(/setnotifycmdline|/setnotifyflags)' THEN 1 ELSE 0 END +
    CASE WHEN LOWER("Command") MATCHES '(/transfer|/addfile|start-bitstransfer|new-bitstransfer|add-bitsfile)' THEN 1 ELSE 0 END +
    CASE WHEN LOWER("Command") MATCHES '(\\appdata\\|\\users\\public\\|\\programdata\\|\\windows\\temp\\)' THEN 1 ELSE 0 END +
    CASE WHEN LOWER("Command") MATCHES '\.(exe|dll|ps1|bat|cmd|vbs|js|hta)(\s|$)' THEN 1 ELSE 0 END +
    CASE WHEN "Command" MATCHES 'https?://' AND NOT "Command" MATCHES '(microsoft\.com|windowsupdate\.com|windows\.com)' THEN 1 ELSE 0 END
  ) AS suspicion_score
FROM events
WHERE
  LOGSOURCETYPEID IN (12, 13, 14)
  AND (
    LOWER("Process Name") LIKE '%bitsadmin.exe'
    OR LOWER("Process Name") LIKE '%powershell.exe'
    OR LOWER("Process Name") LIKE '%pwsh.exe'
  )
  AND (
    LOWER("Command") MATCHES '(/setnotifycmdline|/setnotifyflags|/transfer|/addfile|start-bitstransfer|new-bitstransfer|add-bitsfile)'
    OR ("Command" MATCHES 'https?://' AND NOT "Command" MATCHES '(microsoft\.com|windowsupdate\.com|windows\.com)')
    OR LOWER("Command") MATCHES '(\\appdata\\|\\users\\public\\|\\programdata\\|\\windows\\temp\\)'
  )
  AND LOGSOURCETYPEID IN (12, 13, 14)
ORDER BY suspicion_score DESC, starttime DESC
LAST 24 HOURS

high severity medium confidence

Data Sources

IBM QRadar SIEM Windows Security Event Log DSM Microsoft Windows Sysmon DSM

Required Tables

events (LOGSOURCETYPEID 12/13/14 — Windows Security/System/Sysmon)

False Positives

Windows software update mechanisms using bitsadmin.exe to contact Microsoft-owned domains — filtered by domain exclusion but may match if command line includes temporary paths alongside legitimate URLs
IT automation or MDM solutions invoking PowerShell BITS cmdlets to push policy or agent updates to ProgramData directories — correlate with change management records
Security scanning tools or EDR agents performing BITS-based telemetry uploads — review logsource and parent process to confirm legitimacy

Sumo Logic CSE

sql

_sourceCategory=windows* ("bitsadmin.exe" OR "powershell.exe" OR "pwsh.exe")
| parse regex field=_raw "(?i)(?:Image|NewProcessName)[=:]\s*(?P<image>[^\s"]+)" nodrop
| parse regex field=_raw "(?i)(?:CommandLine|ProcessCommandLine|Command)[=:]\s*(?P<command_line>.+?)(?:\n|\r|$)" nodrop
| parse regex field=_raw "(?i)(?:ParentImage|ParentProcessName)[=:]\s*(?P<parent_image>[^\s"]+)" nodrop
| parse regex field=_raw "(?i)(?:User|AccountName)[=:]\s*(?P<username>[^\s"]+)" nodrop
| where image matches "*bitsadmin.exe" or image matches "*powershell.exe" or image matches "*pwsh.exe"
| eval is_bitsadmin = if(matches(image, ".*bitsadmin\.exe$"), 1, 0)
| eval is_powershell = if(matches(image, ".*(powershell|pwsh)\.exe$"), 1, 0)
| eval has_notify = if(matches(toLowerCase(command_line), "(/setnotifycmdline|/setnotifyflags)"), 1, 0)
| eval has_transfer = if(matches(toLowerCase(command_line), "(/transfer|/addfile|start-bitstransfer|new-bitstransfer|add-bitsfile)"), 1, 0)
| eval has_reset = if(matches(toLowerCase(command_line), "/reset"), 1, 0)
| eval suspicious_dest = if(matches(toLowerCase(command_line), "(\\\\appdata\\\\|\\\\users\\\\public\\\\|\\\\programdata\\\\|\\\\windows\\\\temp\\\\|c:\\\\temp\\\\)"), 1, 0)
| eval suspicious_ext = if(matches(toLowerCase(command_line), "\.(exe|dll|ps1|bat|cmd|vbs|js|hta)(\s|$|'|\")"), 1, 0)
| eval external_download = if(matches(command_line, "https?://") and !matches(command_line, "(microsoft\.com|windowsupdate\.com|windows\.com)"), 1, 0)
| eval suspicion_score = has_notify + has_transfer + suspicious_dest + suspicious_ext + external_download
| where suspicion_score >= 1
| fields _messageTime, _sourceHost, username, image, command_line, parent_image, has_notify, has_transfer, has_reset, suspicious_dest, suspicious_ext, external_download, suspicion_score
| sort by suspicion_score desc, _messageTime desc

high severity high confidence

Data Sources

Sumo Logic Cloud SIEM Windows Event Logs via Sumo Logic Installed Collector Sysmon for Windows via Sumo Logic

Required Tables

windows* _sourceCategory (Security, Sysmon, System event logs)

False Positives

Windows Update background transfers matching bitsadmin patterns — the external domain exclusion for microsoft.com/windowsupdate.com/windows.com reduces this but verify the full URL in command_line
Third-party backup or sync agents that invoke PowerShell Start-BitsTransfer to write to AppData or ProgramData directories as part of normal operations — validate against known software inventory
Red team simulations or penetration testing activities using BITS as a documented test case — cross-reference with authorized testing windows and source hostnames

Google Chronicle / SecOps

yaral

rule bits_jobs_abuse_t1197 {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects BITS job abuse via bitsadmin.exe or PowerShell BITS cmdlets for payload download, persistence via notification commands, or staging to suspicious directories. Maps to MITRE ATT&CK T1197."
    mitre_attack_tactic = "Persistence, Defense Evasion"
    mitre_attack_technique = "T1197"
    severity = "HIGH"
    confidence = "HIGH"
    version = "1.0"
    created = "2026-04-18"

  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    $e.target.process.file.full_path != ""

    (
      // Branch 1: bitsadmin.exe with suspicious arguments
      (
        re.regex($e.target.process.file.full_path, `(?i)bitsadmin\.exe$`) and
        (
          re.regex($e.target.process.command_line, `(?i)(/SetNotifyCmdLine|/SetNotifyFlags|/transfer|/addfile|/reset)`) or
          re.regex($e.target.process.command_line, `(?i)(\\AppData\\|\\Users\\Public\\|\\ProgramData\\|\\Windows\\Temp\\|C:\\Temp\\)`) or
          re.regex($e.target.process.command_line, `(?i)\.(exe|dll|ps1|bat|cmd|vbs|js|hta)(\s|$)`) or
          (
            re.regex($e.target.process.command_line, `https?://`) and
            not re.regex($e.target.process.command_line, `(?i)(microsoft\.com|windowsupdate\.com|windows\.com)`)
          )
        )
      ) or
      // Branch 2: PowerShell BITS cmdlets with suspicious indicators
      (
        re.regex($e.target.process.file.full_path, `(?i)(powershell|pwsh)\.exe$`) and
        re.regex($e.target.process.command_line, `(?i)(Start-BitsTransfer|New-BitsTransfer|Add-BitsFile|Get-BitsTransfer|Set-BitsTransfer)`) and
        (
          re.regex($e.target.process.command_line, `(?i)(\\AppData\\|\\Users\\Public\\|\\ProgramData\\|\\Windows\\Temp\\)`) or
          (
            re.regex($e.target.process.command_line, `https?://`) and
            not re.regex($e.target.process.command_line, `(?i)(microsoft\.com|windowsupdate\.com|windows\.com)`)
          ) or
          re.regex($e.target.process.command_line, `(?i)\.(exe|dll|ps1|bat|cmd|vbs|hta)(\s|$)`)
        )
      )
    )

  condition:
    $e
}

high severity high confidence

Data Sources

Google Chronicle SIEM Windows Endpoint Telemetry via Chronicle Forwarder Sysmon UDM Ingestion

Required Tables

UDM events with metadata.event_type = PROCESS_LAUNCH

False Positives

Legitimate Windows Update or Defender signature updates using bitsadmin.exe targeting microsoft.com — the domain regex exclusion handles most cases but monitor for edge cases with URL redirection through intermediate CDN domains
Enterprise patch management systems (WSUS, Intune) invoking BITS for package distribution to ProgramData — validate parent process is a known management agent (MicrosoftEdgeUpdate.exe, MsMpEng.exe, etc.)
Developer or DevOps scripts using Start-BitsTransfer to download build artifacts or dependencies to local temp directories — correlate principal.user.userid with known developer accounts

CrowdStrike LogScale (CQL)

cql

// Branch 1: bitsadmin.exe abuse
#event_simpleName=ProcessRollup2
| ImageFileName = /(?i)bitsadmin\.exe$/
| CommandLine = /(?i)(\/(SetNotifyCmdLine|SetNotifyFlags|transfer|addfile|reset)|https?:\/\/(?!.*(?:microsoft\.com|windowsupdate\.com|windows\.com))|\\(?:AppData|Users\\Public|ProgramData|Windows\\Temp)|C:\\Temp|\.(exe|dll|ps1|bat|cmd|vbs|js|hta))/
| eval HasNotify := if(CommandLine =~ /(?i)(\/(SetNotifyCmdLine|SetNotifyFlags))/, "true", "false")
| eval HasTransfer := if(CommandLine =~ /(?i)(\/(transfer|addfile))/, "true", "false")
| eval SuspiciousDest := if(CommandLine =~ /(?i)(\\AppData\\|\\Users\\Public\\|\\ProgramData\\|\\Windows\\Temp\\|C:\\Temp\\)/, "true", "false")
| eval SuspiciousExt := if(CommandLine =~ /(?i)\.(exe|dll|ps1|bat|cmd|vbs|js|hta)(\s|$)/, "true", "false")
| eval ExternalDownload := if(CommandLine =~ /https?:\/\/(?!.*(?:microsoft\.com|windowsupdate\.com|windows\.com))/, "true", "false")
| eval DetectionBranch := "BitsAdmin"
| table([timestamp, ComputerName, UserName, ImageFileName, CommandLine, ParentBaseFileName, HasNotify, HasTransfer, SuspiciousDest, SuspiciousExt, ExternalDownload, DetectionBranch])
| union [
  // Branch 2: PowerShell BITS cmdlets
  #event_simpleName=ProcessRollup2
  | ImageFileName = /(?i)(powershell|pwsh)\.exe$/
  | CommandLine = /(?i)(Start-BitsTransfer|New-BitsTransfer|Add-BitsFile|Get-BitsTransfer|Set-BitsTransfer)/
  | CommandLine = /(?i)(\\AppData\\|\\Users\\Public\\|\\ProgramData\\|\\Windows\\Temp\\|C:\\Temp\\|https?:\/\/(?!.*(?:microsoft\.com|windowsupdate\.com|windows\.com))|\.(exe|dll|ps1|bat|cmd|vbs|hta))/
  | eval HasNotify := if(CommandLine =~ /(?i)(SetNotifyCmdLine|Notify)/, "true", "false")
  | eval HasTransfer := "true"
  | eval SuspiciousDest := if(CommandLine =~ /(?i)(\\AppData\\|\\Users\\Public\\|\\ProgramData\\|\\Windows\\Temp\\)/, "true", "false")
  | eval SuspiciousExt := if(CommandLine =~ /(?i)\.(exe|dll|ps1|bat|cmd|vbs|hta)(\s|$)/, "true", "false")
  | eval ExternalDownload := if(CommandLine =~ /https?:\/\/(?!.*(?:microsoft\.com|windowsupdate\.com|windows\.com))/, "true", "false")
  | eval DetectionBranch := "PowerShellBITS"
  | table([timestamp, ComputerName, UserName, ImageFileName, CommandLine, ParentBaseFileName, HasNotify, HasTransfer, SuspiciousDest, SuspiciousExt, ExternalDownload, DetectionBranch])
]
| sortBy(timestamp, order=desc)

high severity high confidence

Data Sources

CrowdStrike Falcon EDR CrowdStrike Falcon LogScale (Humio)

Required Tables

#event_simpleName=ProcessRollup2

False Positives

Windows Update and Defender signature updates using bitsadmin.exe — the non-Microsoft URL regex filter reduces noise but verify ComputerName and UserName context for SYSTEM-initiated events
CrowdStrike Falcon sensor or other security agent self-updates that leverage BITS for downloading updated components to ProgramData — correlate with known agent version update windows
IT endpoint management scripts using Start-BitsTransfer to deploy software or configurations to staging directories — verify ParentBaseFileName corresponds to known management tooling (msiexec.exe, ccmexec.exe, etc.)

Last updated: 2026-04-18 Research depth: deep

References (10)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1197 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

BITS Jobs

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Same Tactic: Defense Evasion

Popular Detections