T1197 CrowdStrike LogScale · LogScale

Detect BITS Jobs in CrowdStrike LogScale

Adversaries may abuse Windows Background Intelligent Transfer Service (BITS) jobs to persistently execute code and perform background tasks such as downloading malicious payloads, executing arbitrary programs on job completion or error, and cleaning up artifacts. BITS is a COM-based file transfer mechanism built into Windows, commonly used by Windows Update and software installers. Adversaries exploit it via bitsadmin.exe or PowerShell BITS cmdlets to download tools from external infrastructure, achieve persistence using /SetNotifyCmdLine to invoke arbitrary executables when a job completes or errors (including after reboots), and exfiltrate data. BITS jobs are stored in a binary database (%ALLUSERSPROFILE%\Microsoft\Network\Downloader\) rather than in registry or filesystem, making them resistant to many persistence-focused detections. Active threat groups including APT39, APT41, Leviathan, Patchwork, and Wizard Spider have leveraged BITS for payload delivery and persistence.

MITRE ATT&CK

Tactic
Defense Evasion Persistence
Technique
T1197 BITS Jobs
Canonical reference
https://attack.mitre.org/techniques/T1197/

LogScale Detection Query

CrowdStrike LogScale (LogScale)
cql 
// Branch 1: bitsadmin.exe abuse
#event_simpleName=ProcessRollup2
| ImageFileName = /(?i)bitsadmin\.exe$/
| CommandLine = /(?i)(\/(SetNotifyCmdLine|SetNotifyFlags|transfer|addfile|reset)|https?:\/\/(?!.*(?:microsoft\.com|windowsupdate\.com|windows\.com))|\\(?:AppData|Users\\Public|ProgramData|Windows\\Temp)|C:\\Temp|\.(exe|dll|ps1|bat|cmd|vbs|js|hta))/
| eval HasNotify := if(CommandLine =~ /(?i)(\/(SetNotifyCmdLine|SetNotifyFlags))/, "true", "false")
| eval HasTransfer := if(CommandLine =~ /(?i)(\/(transfer|addfile))/, "true", "false")
| eval SuspiciousDest := if(CommandLine =~ /(?i)(\\AppData\\|\\Users\\Public\\|\\ProgramData\\|\\Windows\\Temp\\|C:\\Temp\\)/, "true", "false")
| eval SuspiciousExt := if(CommandLine =~ /(?i)\.(exe|dll|ps1|bat|cmd|vbs|js|hta)(\s|$)/, "true", "false")
| eval ExternalDownload := if(CommandLine =~ /https?:\/\/(?!.*(?:microsoft\.com|windowsupdate\.com|windows\.com))/, "true", "false")
| eval DetectionBranch := "BitsAdmin"
| table([timestamp, ComputerName, UserName, ImageFileName, CommandLine, ParentBaseFileName, HasNotify, HasTransfer, SuspiciousDest, SuspiciousExt, ExternalDownload, DetectionBranch])
| union [
  // Branch 2: PowerShell BITS cmdlets
  #event_simpleName=ProcessRollup2
  | ImageFileName = /(?i)(powershell|pwsh)\.exe$/
  | CommandLine = /(?i)(Start-BitsTransfer|New-BitsTransfer|Add-BitsFile|Get-BitsTransfer|Set-BitsTransfer)/
  | CommandLine = /(?i)(\\AppData\\|\\Users\\Public\\|\\ProgramData\\|\\Windows\\Temp\\|C:\\Temp\\|https?:\/\/(?!.*(?:microsoft\.com|windowsupdate\.com|windows\.com))|\.(exe|dll|ps1|bat|cmd|vbs|hta))/
  | eval HasNotify := if(CommandLine =~ /(?i)(SetNotifyCmdLine|Notify)/, "true", "false")
  | eval HasTransfer := "true"
  | eval SuspiciousDest := if(CommandLine =~ /(?i)(\\AppData\\|\\Users\\Public\\|\\ProgramData\\|\\Windows\\Temp\\)/, "true", "false")
  | eval SuspiciousExt := if(CommandLine =~ /(?i)\.(exe|dll|ps1|bat|cmd|vbs|hta)(\s|$)/, "true", "false")
  | eval ExternalDownload := if(CommandLine =~ /https?:\/\/(?!.*(?:microsoft\.com|windowsupdate\.com|windows\.com))/, "true", "false")
  | eval DetectionBranch := "PowerShellBITS"
  | table([timestamp, ComputerName, UserName, ImageFileName, CommandLine, ParentBaseFileName, HasNotify, HasTransfer, SuspiciousDest, SuspiciousExt, ExternalDownload, DetectionBranch])
]
| sortBy(timestamp, order=desc)
high severity high confidence

Detects BITS job abuse in CrowdStrike Falcon LogScale using ProcessRollup2 events. Branch 1 identifies bitsadmin.exe invocations with notification callbacks, suspicious staging destinations, suspicious file extensions, or downloads from non-Microsoft URLs. Branch 2 identifies PowerShell processes invoking BITS cmdlets (Start-BitsTransfer, New-BitsTransfer, Add-BitsFile) with suspicious download targets or external URLs. Results from both branches are unioned and sorted by timestamp.

Data Sources

CrowdStrike Falcon EDRCrowdStrike Falcon LogScale (Humio)

Required Tables

#event_simpleName=ProcessRollup2

False Positives & Tuning

  • Windows Update and Defender signature updates using bitsadmin.exe — the non-Microsoft URL regex filter reduces noise but verify ComputerName and UserName context for SYSTEM-initiated events
  • CrowdStrike Falcon sensor or other security agent self-updates that leverage BITS for downloading updated components to ProgramData — correlate with known agent version update windows
  • IT endpoint management scripts using Start-BitsTransfer to deploy software or configurations to staging directories — verify ParentBaseFileName corresponds to known management tooling (msiexec.exe, ccmexec.exe, etc.)
Download portable Sigma rule (.yml)

Other platforms for T1197

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1BITSAdmin Download from External URL

    Expected signal: Sysmon Event ID 1: Process Create with Image=bitsadmin.exe, CommandLine containing '/transfer' and 'http://127.0.0.1:8080/test.exe' and '%TEMP%\df00tech-test.exe'. Microsoft-Windows-Bits-Client EventID 3 (job created with name 'df00tech-test'). EventID 60 (job error, since no HTTP server is listening at 127.0.0.1:8080 — but job creation telemetry still fires). Security Event ID 4688 (if command line auditing enabled).

  2. Test 2BITS Persistence via SetNotifyCmdLine

    Expected signal: Sysmon Event ID 1: Four separate bitsadmin.exe Process Create events — for /create, /addfile, /SetNotifyCmdLine (CommandLine contains 'cmd.exe /c calc.exe'), and /SetNotifyFlags. Microsoft-Windows-Bits-Client EventID 3 (job creation). If the job errors (no HTTP server), the notify command fires: Sysmon EventID 1 for cmd.exe spawned by svchost.exe (BITS service) with ParentCommandLine containing BITS service context.

  3. Test 3PowerShell Start-BitsTransfer to Suspicious Location

    Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'Start-BitsTransfer' and '$env:APPDATA' and 'payload.exe'. Microsoft-Windows-Bits-Client EventID 3 (job created programmatically). PowerShell ScriptBlock Log EventID 4104 with full Start-BitsTransfer cmdlet parameters. Sysmon EventID 3: Network connection attempt from svchost.exe (BITS service) to 127.0.0.1:8080.

  4. Test 4BITSAdmin Upload for Exfiltration Simulation

    Expected signal: Sysmon Event ID 1: bitsadmin.exe Process Create with '/upload' in CommandLine. Microsoft-Windows-Bits-Client EventID 3 (job created with upload type). Sysmon EventID 3: Outbound network connection from svchost.exe to 127.0.0.1:8080. EventID 60 (job error, connection refused) with upload direction noted in event data.

Last updated: 2026-04-18 Research depth: deep
References (10)

Unlock Pro Content

Get the full detection package for T1197 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Related Techniques

T1105Ingress Tool TransferT1053.005Scheduled TaskT1059.001PowerShellT1070Indicator RemovalT1048Exfiltration Over Alternative ProtocolT1218.003CMSTPT1543.003Windows ServiceT1547.001Registry Run Keys / Startup FolderT1036Masquerading

Same Tactic: Defense Evasion

Popular Detections