DET0098: Detect abuse of Windows BITS Jobs for download, execution and persistence
DET0098 is a detection strategy for identifying abuse of Windows BITS Jobs, a legitimate background transfer mechanism that can be misused for download, ex...
Analyst context for executives and security teams
DET0098 is a detection strategy for identifying abuse of Windows BITS Jobs, a legitimate background transfer mechanism that can be misused for download, execution, and persistence. The business significance is that trusted operating-system services can blur the line between normal software update activity and attacker-managed background tasks, so leadership should not treat this as a purely endpoint-only concern.
Executive priority
Prioritize this as a Windows resilience and SOC visibility question: can the organization distinguish normal BITS use by approved applications from suspicious jobs tied to persistence or execution? This matters for incident response scoping, audit evidence around endpoint monitoring, and control prioritization where business operations depend on Windows systems and background update mechanisms.
Technical view
The supplied relationship maps this detection strategy to ATT&CK T1197: BITS Jobs, with related tactics of stealth, persistence, and execution on Windows. SOC and detection teams should validate that they can observe BITS job creation, modification, execution-related behavior, and associated network/file activity, then correlate that activity to process lineage and user context. Because the official object has no description or detection text, implementation should be driven by local Windows telemetry and the related technique context rather than assuming a complete MITRE analytic.
Likely telemetry
- Windows BITS job metadata and state changes
- Process creation and parent-child process relationships involving BITS-related utilities or COM activity
- File creation or modification associated with background transfers
- Network connections or downloads linked to BITS activity
- User, host, and service-account context for job creation and execution
Detection direction
- Baseline legitimate BITS activity from operating-system components, updaters, messengers, and other approved applications that use background transfers.
- Look for unusual BITS jobs associated with unexpected users, hosts, file paths, command execution, or external destinations.
- Correlate BITS activity with persistence and execution signals rather than alerting on BITS usage alone, because legitimate background activity is common.
- Validate visibility gaps on Windows endpoints where BITS job details, process lineage, or network attribution may not be collected.
- Tune detections to reduce false positives from approved update and messaging software while preserving review of anomalous job creators and destinations.
Mitigation priorities
- Inventory and baseline legitimate BITS usage on Windows systems before enforcing aggressive blocking or alerting.
- Ensure endpoint logging and EDR collection can capture BITS-related job, process, file, and network evidence needed for investigation.
- Restrict administrative privileges and service-account misuse paths that could allow unauthorized creation or manipulation of background jobs.
- Use application control, least privilege, and endpoint hardening to limit suspicious execution paths associated with downloaded content.
- Document detection logic, telemetry sources, and response procedures as compliance and incident-readiness evidence.
Analyst notes and limits
This take is based on the DET0098 detection strategy metadata and its relationship to T1197 BITS Jobs. The ATT&CK object itself does not provide an official description, detection text, platforms, or tactics; platform and tactic context comes from the related technique relationship only.
Local validation is required. The supplied ATT&CK fields do not specify exact analytics, event IDs, log sources, thresholds, or recommended mitigations, so organizations must map this strategy to their Windows logging, EDR, network telemetry, and approved software baselines.
Detect abuse of Windows BITS Jobs for download, execution and persistence
No official description is available in the imported ATT&CK source object.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 720e19efaf69… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack DET0098Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.