Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN0274: Analytic 0274

Behavioral chain: (1) An actor creates or modifies a BITS job via bitsadmin.exe, PowerShell BITS cmdlets, or COM; (2) the job performs HTTP(S)/SMB network transfers while the owning user is logged on; (3) upon job completion/error, BITS launches a notify command (SetNotifyCmdLine) from svchost.exe -k netsvcs -s BITS, often establishing persistence by keeping long-lived jobs. The strategy correlates process creation, command/script telemetry, BITS-Client operational events, and network connections initiated by BITS.

EnterpriseAN0274AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence High

AN0274 is a Windows detection analytic focused on suspicious use of Background Intelligent Transfer Service (BITS). The business relevance is that BITS can blend file transfer, persistence-like behavior, and execution of a notification command under a normal Windows service context, which can make activity easy to miss if teams only monitor obvious user-launched tools or simple network connections.

Executive priority

Security leaders should treat this as a coverage validation item for Windows endpoint monitoring and incident response readiness. The key decision question is whether the SOC can connect the full chain: BITS job creation or modification, network transfer activity, and a resulting notify command launched from the BITS service context. If those evidence sources are not retained or correlated, investigations may lack proof of how a transfer or follow-on execution occurred.

Technical view

For Windows environments, validate whether telemetry captures BITS job creation or modification through bitsadmin.exe, PowerShell BITS cmdlets, or COM; BITS-Client operational events; process creation involving svchost.exe -k netsvcs -s BITS; command or script telemetry; and network connections initiated by BITS over HTTP(S) or SMB. Detection should focus on correlation across these signals rather than any single event, especially long-lived BITS jobs and SetNotifyCmdLine-style notify command execution after job completion or error.

Likely telemetry

  • Windows process creation events
  • Command-line telemetry
  • PowerShell script or command telemetry
  • BITS-Client operational event logs
  • Network connection telemetry for HTTP(S) and SMB transfers

Detection direction

  • Validate that BITS-Client operational logs are enabled, collected, and retained long enough to support investigations.
  • Correlate BITS job creation or modification with subsequent network transfer activity and notify command execution.
  • Tune analytics around process ancestry where notify commands are launched from svchost.exe -k netsvcs -s BITS.
  • Review legitimate administrative or software distribution use of BITS to reduce false positives.
  • Look for long-lived BITS jobs because the official description notes they may be used to maintain persistence-like behavior.

Mitigation priorities

  • Prioritize telemetry readiness first: confirm endpoint, command, script, BITS-Client, and network evidence sources are available for Windows systems.
  • Establish baselines for legitimate BITS usage by administration tools and software update workflows.
  • Restrict or monitor unnecessary use of bitsadmin.exe, PowerShell BITS cmdlets, and COM-based BITS job creation where business operations allow.
  • Ensure incident response playbooks include collection and review of BITS jobs, BITS event logs, related process trees, and associated network destinations.
  • Use the analytic as compliance and audit evidence for monitoring of service-based execution and suspicious file transfer behavior where Windows endpoint logging is in scope.
Analyst notes and limits

The supplied object is a detection analytic, not a technique entry, and no tactic or relationship context was provided. Its value is strongest as a validation checklist for SOC correlation and Windows telemetry completeness around BITS behavior.

Official detection content is not provided, and no relationships, procedures, mitigations, or data components were supplied. Local baselines are required to distinguish legitimate BITS activity from suspicious behavior. This take does not assert active exploitation, attribution, impact, or guaranteed detection coverage.

Official MITRE ATT&CK definition

Analytic 0274

Behavioral chain: (1) An actor creates or modifies a BITS job via bitsadmin.exe, PowerShell BITS cmdlets, or COM; (2) the job performs HTTP(S)/SMB network transfers while the owning user is logged on; (3) upon job completion/error, BITS launches a notify command (SetNotifyCmdLine) from svchost.exe -k netsvcs -s BITS, often establishing persistence by keeping long-lived jobs. The strategy correlates process creation, command/script telemetry, BITS-Client operational events, and network connections initiated by BITS.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
bdd0a3966152fa09...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle bdd0a3966152…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN0274
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use