Live Active security incident? Get immediate response
MITRE ATT&CK® Technique

T1197: BITS Jobs

Adversaries may abuse BITS jobs to persistently execute code and perform various background tasks. Windows Background Intelligent Transfer Service (BITS) is a low-bandwidth, asynchronous file transfer mechanism exposed through Component Object Model (COM).[1][2] BITS is commonly used by updaters, messengers, and other applications preferred to operate in the background (using available idle bandwidth) without interrupting other networked applications. File transfer tasks are implemented as BITS jobs, which contain a queue of one or more file operations.

The interface to create and manage BITS jobs is accessible through PowerShell and the BITSAdmin tool.[2][3]

Adversaries may abuse BITS to download (e.g. Ingress Tool Transfer), execute, and even clean up after running malicious code (e.g. Indicator Removal). BITS tasks are self-contained in the BITS job database, without new files or registry modifications, and often permitted by host firewalls.[4][5][6] BITS enabled execution may also enable persistence by creating long-standing jobs (the default maximum lifetime is 90 days and extendable) or invoking an arbitrary program when a job completes or errors (including after system reboots).[7][4]

BITS upload functionalities can also be used to perform Exfiltration Over Alternative Protocol.[4]

EnterpriseT1197TechniqueObject v2.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

BITS Jobs matter because they let activity hide inside a normal Windows background transfer service used by legitimate software. If abused, a BITS job can download content, trigger execution after completion or error, survive reboots, and persist for long periods without obvious new files or registry changes. For leaders, the risk is not just malware delivery; it is whether Windows endpoint monitoring, egress controls, and incident response procedures can see and govern a trusted OS mechanism being used for stealth, persistence, and execution.

Executive priority

Prioritize this where Windows endpoints are critical to business operations or where background network activity is broadly allowed. Ask whether security teams can inventory and investigate BITS jobs, whether PowerShell and BITSAdmin usage is monitored, and whether egress filtering distinguishes authorized background transfers from suspicious ones. This technique also supports audit and compliance conversations: evidence should show that privileged account use, OS configuration, and network filtering controls are actively managed rather than assumed.

Technical view

T1197 applies to Windows and is associated with stealth, persistence, and execution. ATT&CK describes abuse of BITS through COM, PowerShell, and BITSAdmin to create self-contained jobs in the BITS job database, download files, invoke programs on job completion or error, and potentially upload data. SOC and IR teams should validate visibility into BITS job creation, modification, long-lived jobs, completion/error actions, BITSAdmin and PowerShell-driven management, and outbound transfers initiated through BITS. Relationship context includes detection strategy DET0098 and use by multiple groups and software entries, including BITSAdmin, Cobalt Strike, backdoors, downloaders, and ransomware-related software; use this as prioritization context, not as proof of local exposure.

Likely telemetry

  • Windows endpoint process creation and command-line activity involving BITSAdmin and PowerShell management of BITS
  • BITS job inventory or artifacts from the BITS job database, including job owner, lifetime, queued files, remote URLs, and notification commands
  • COM-based BITS activity where available from endpoint telemetry
  • Network egress records for background transfers, including destination, timing, volume, and initiating host/process context where available
  • Execution telemetry for programs launched after BITS job completion or error, including after reboot

Detection direction

  • Validate DET0098-style coverage for BITS abuse rather than only generic malware execution alerts.
  • Tune for suspicious BITS characteristics: unexpected users creating jobs, long-lived jobs, unusual remote destinations, jobs with execution actions, or BITS activity paired with PowerShell/BITSAdmin usage.
  • Account for false positives from legitimate updaters, messengers, and applications that use BITS for background transfers; baselining by endpoint role and software inventory is important.
  • Look for relationship-driven chains: BITS download activity may align with ingress tool transfer, execution, cleanup behavior, or alternative-protocol exfiltration described in ATT&CK.
  • Check blind spots where host firewalls allow BITS by default, where command-line logging is incomplete, or where teams do not routinely collect BITS job state during triage.

Mitigation priorities

  • Start with user account management: enforce least privilege and review who can create or manage jobs capable of triggering execution.
  • Harden Windows operating system configuration so unnecessary features and permissive defaults are reduced where business use does not require them.
  • Apply network traffic filtering for ingress, egress, and lateral traffic so background transfers are not implicitly trusted solely because they use a Windows service.
  • Operationalize IR playbooks to enumerate and remove suspicious BITS jobs and to preserve job details for investigation.
  • Use approved software baselines to distinguish legitimate BITS-using applications from unexpected or user-created transfer jobs.
Analyst notes and limits

MITRE provides no official detection text for this technique, but the relationship to DET0098 supplies a detection-strategy anchor. The strongest local validation points are endpoint visibility into BITS job state, PowerShell/BITSAdmin activity, and egress context. The group and software relationships show that this behavior has appeared across different threat and tool contexts, but they should not be interpreted as current activity in any specific environment.

This take is based only on the supplied ATT&CK fields, external references, and relationships. It does not assert active exploitation, confirmed attribution, or existing detection coverage. Exact telemetry availability, logging configuration, normal BITS usage, and response procedures must be verified in the local Windows environment.

Official MITRE ATT&CK definition

BITS Jobs

Adversaries may abuse BITS jobs to persistently execute code and perform various background tasks. Windows Background Intelligent Transfer Service (BITS) is a low-bandwidth, asynchronous file transfer mechanism exposed through Component Object Model (COM).[1][2] BITS is commonly used by updaters, messengers, and other applications preferred to operate in the background (using available idle bandwidth) without interrupting other networked applications. File transfer tasks are implemented as BITS jobs, which contain a queue of one or more file operations.

The interface to create and manage BITS jobs is accessible through PowerShell and the BITSAdmin tool.[2][3]

Adversaries may abuse BITS to download (e.g. Ingress Tool Transfer), execute, and even clean up after running malicious code (e.g. Indicator Removal). BITS tasks are self-contained in the BITS job database, without new files or registry modifications, and often permitted by host firewalls.[4][5][6] BITS enabled execution may also enable persistence by creating long-standing jobs (the default maximum lifetime is 90 days and extendable) or invoking an arbitrary program when a job completes or errors (including after system reboots).[7][4]

BITS upload functionalities can also be used to perform Exfiltration Over Alternative Protocol.[4]

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Associated objects

Groups, software, and campaigns

Group Enterprise

G0040: Patchwork

Patchwork is a cyber espionage group that was first observed in December 2015. While the group has not been definitively attributed, circumstantial evidence suggests the group may be a pro-Indian or Indian entity. Patchwork has been seen targeting industries related to diplomatic and government agencies. Much of the code used by this group was copied and pasted from online forums. Patchwork was also seen operating spearphishing campaigns targeting U.S. think tank groups in March and April of 2018.[1] [2][3][4]

Group Enterprise

G0065: Leviathan

Leviathan is a Chinese state-sponsored cyber espionage group that has been attributed to the Ministry of State Security's (MSS) Hainan State Security Department and an affiliated front company.[1] Active since at least 2009, Leviathan has targeted the following sectors: academia, aerospace/aviation, biomedical, defense industrial base, government, healthcare, manufacturing, maritime, and transportation across the US, Canada, Australia, Europe, the Middle East, and Southeast Asia.[1][2][3][4]

Group Enterprise

G0087: APT39

APT39 is one of several names for cyber espionage activity conducted by the Iranian Ministry of Intelligence and Security (MOIS) through the front company Rana Intelligence Computing since at least 2014. APT39 has primarily targeted the travel, hospitality, academic, and telecommunications industries in Iran and across Asia, Africa, Europe, and North America to track individuals and entities considered to be a threat by the MOIS.[1][2][3][4][5]

Group Enterprise

G0096: APT41

APT41 is a threat group that researchers have assessed as Chinese state-sponsored espionage group that also conducts financially-motivated operations. Active since at least 2012, APT41 has been observed targeting various industries, including but not limited to healthcare, telecom, technology, finance, education, retail and video game industries in 14 countries.[1] Notable behaviors include using a wide range of malware and tools to complete mission objectives. APT41 overlaps at least partially with public reporting on groups including BARIUM and Winnti Group.[2][3]

Group Enterprise

G0102: Wizard Spider

Wizard Spider is a Russia-based financially motivated threat group originally known for the creation and deployment of TrickBot since at least 2016. Wizard Spider possesses a diverse arsenal of tools and has conducted ransomware campaigns against a variety of organizations, ranging from major corporations to hospitals.[1][2][3]

Malware Enterprise

S0534: Bazar

Bazar is a downloader and backdoor that has been used since at least April 2020, with infections primarily against professional services, healthcare, manufacturing, IT, logistics and travel companies across the US and Europe. Bazar reportedly has ties to TrickBot campaigns and can be used to deploy additional malware, including ransomware, and to steal sensitive data.[1]

Windows
Malware Enterprise

S0154: Cobalt Strike

Cobalt Strike is a commercial, full-featured, remote access tool that bills itself as “adversary simulation software designed to execute targeted attacks and emulate the post-exploitation actions of advanced threat actors”. Cobalt Strike’s interactive post-exploit capabilities cover the full range of ATT&CK tactics, all executed within a single, integrated system.[1]

In addition to its own capabilities, Cobalt Strike leverages the capabilities of other well-known tools such as Metasploit and Mimikatz.[1]

LinuxmacOSWindows
Malware Enterprise

S0554: Egregor

Egregor is a Ransomware-as-a-Service (RaaS) tool that was first observed in September 2020. Researchers have noted code similarities between Egregor and Sekhmet ransomware, as well as Maze ransomware.[1][2][3]

Windows
Malware Enterprise

S0654: ProLock

ProLock is a ransomware strain that has been used in Big Game Hunting (BGH) operations since at least 2020, often obtaining initial access with QakBot. ProLock is the successor to PwndLocker ransomware which was found to contain a bug allowing decryption without ransom payment in 2019.[1]

Windows
Relationship explorer

All related ATT&CK context

detects · Detection Strategy DET0098: Detect abuse of Windows BITS Jobs for download, execution and persistence Enterprise uses · Malware S0652: MarkiRAT Enterprise uses · Group G0040: Patchwork Enterprise uses · Malware S0534: Bazar Enterprise mitigates · Mitigation M1018: User Account Management Enterprise uses · Malware S0154: Cobalt Strike Enterprise uses · Malware S0554: Egregor Enterprise uses · Malware S0201: JPIN Enterprise mitigates · Mitigation M1037: Filter Network Traffic Enterprise uses · Malware S0333: UBoatRAT Enterprise mitigates · Mitigation M1028: Operating System Configuration Enterprise uses · Malware S0654: ProLock Enterprise uses · Group G0065: Leviathan Enterprise uses · Group G0087: APT39 Enterprise uses · Tool S0190: BITSAdmin Enterprise uses · Group G0096: APT41 Enterprise uses · Group G0102: Wizard Spider Enterprise
Mitigations

Mitigation direction

Mitigation Enterprise

M1018: User Account Management

User Account Management involves implementing and enforcing policies for the lifecycle of user accounts, including creation, modification, and deactivation. Proper account management reduces the attack surface by limiting unauthorized access, managing account privileges, and ensuring accounts are used according to organizational policies. This mitigation can be implemented through the following measures:

Enforcing the Principle of Least Privilege

- Implementation: Assign users only the minimum permissions required to perform their job functions. Regularly audit accounts to ensure no excess permissions are granted. - Use Case: Reduces the risk of privilege escalation by ensuring accounts cannot perform unauthorized actions.

Implementing Strong Password Policies

- Implementation: Enforce password complexity requirements (e.g., length, character types). Require password expiration every 90 days and disallow password reuse. - Use Case: Prevents adversaries from gaining unauthorized access through password guessing or brute force attacks.

Managing Dormant and Orphaned Accounts

- Implementation: Implement automated workflows to disable accounts after a set period of inactivity (e.g., 30 days). Remove orphaned accounts (e.g., accounts without an assigned owner) during regular account audits. - Use Case: Eliminates dormant accounts that could be exploited by attackers.

Account Lockout Policies

- Implementation: Configure account lockout thresholds (e.g., lock accounts after five failed login attempts). Set lockout durations to a minimum of 15 minutes. - Use Case: Mitigates automated attack techniques that rely on repeated login attempts.

Multi-Factor Authentication (MFA) for High-Risk Accounts

- Implementation: Require MFA for all administrative accounts and high-risk users. Use MFA mechanisms like hardware tokens, authenticator apps, or biometrics. - Use Case: Prevents unauthorized access, even if credentials are stolen.

Restricting Interactive Logins

- Implementation: Restrict interactive logins for privileged accounts to specific secure systems or management consoles. Use group policies to enforce logon restrictions. - Use Case: Protects sensitive accounts from misuse or exploitation.

*Tools for Implementation*

Built-in Tools:

- Microsoft Active Directory (AD): Centralized account management and RBAC enforcement. - Group Policy Object (GPO): Enforce password policies, logon restrictions, and account lockout policies.

Identity and Access Management (IAM) Tools:

- Okta: Centralized user provisioning, MFA, and SSO integration. - Microsoft Azure Active Directory: Provides advanced account lifecycle management, role-based access, and conditional access policies.

Privileged Account Management (PAM): - CyberArk, BeyondTrust, Thycotic: Manage and monitor privileged account usage, enforce session recording, and JIT access.

Mitigation Enterprise

M1037: Filter Network Traffic

Employ network appliances and endpoint software to filter ingress, egress, and lateral network traffic. This includes protocol-based filtering, enforcing firewall rules, and blocking or restricting traffic based on predefined conditions to limit adversary movement and data exfiltration. This mitigation can be implemented through the following measures:

Ingress Traffic Filtering:

- Use Case: Configure network firewalls to allow traffic only from authorized IP addresses to public-facing servers. - Implementation: Limit SSH (port 22) and RDP (port 3389) traffic to specific IP ranges.

Egress Traffic Filtering:

- Use Case: Use firewalls or endpoint security software to block unauthorized outbound traffic to prevent data exfiltration and command-and-control (C2) communications. - Implementation: Block outbound traffic to known malicious IPs or regions where communication is unexpected.

Protocol-Based Filtering:

- Use Case: Restrict the use of specific protocols that are commonly abused by adversaries, such as SMB, RPC, or Telnet, based on business needs. - Implementation: Disable SMBv1 on endpoints to prevent exploits like EternalBlue.

Network Segmentation:

- Use Case: Create network segments for critical systems and restrict communication between segments unless explicitly authorized. - Implementation: Implement VLANs to isolate IoT devices or guest networks from core business systems.

Application Layer Filtering:

- Use Case: Use proxy servers or Web Application Firewalls (WAFs) to inspect and block malicious HTTP/S traffic. - Implementation: Configure a WAF to block SQL injection attempts or other web application exploitation techniques.

Mitigation Enterprise

M1028: Operating System Configuration

Operating System Configuration involves adjusting system settings and hardening the default configurations of an operating system (OS) to mitigate adversary exploitation and prevent abuse of system functionality. Proper OS configurations address security vulnerabilities, limit attack surfaces, and ensure robust defense against a wide range of techniques. This mitigation can be implemented through the following measures:

Disable Unused Features:

- Turn off SMBv1, LLMNR, and NetBIOS where not needed. - Disable remote registry and unnecessary services.

Enforce OS-level Protections:

- Enable Data Execution Prevention (DEP), Address Space Layout Randomization (ASLR), and Control Flow Guard (CFG) on Windows. - Use AppArmor or SELinux on Linux for mandatory access controls.

Secure Access Settings:

- Enable User Account Control (UAC) for Windows. - Restrict root/sudo access on Linux/macOS and enforce strong permissions using sudoers files.

File System Hardening:

- Implement least-privilege access for critical files and system directories. - Audit permissions regularly using tools like icacls (Windows) or getfacl/chmod (Linux/macOS).

Secure Remote Access:

- Restrict RDP, SSH, and VNC to authorized IPs using firewall rules. - Enable NLA for RDP and enforce strong password/lockout policies.

Harden Boot Configurations:

- Enable Secure Boot and enforce UEFI/BIOS password protection. - Use BitLocker or LUKS to encrypt boot drives.

Regular Audits:

- Periodically audit OS configurations using tools like CIS Benchmarks or SCAP tools.

*Tools for Implementation*

Windows:

- Microsoft Group Policy Objects (GPO): Centrally enforce OS security settings. - Windows Defender Exploit Guard: Built-in OS protection against exploits. - CIS-CAT Pro: Audit Windows security configurations based on CIS Benchmarks.

Linux/macOS:

- AppArmor/SELinux: Enforce mandatory access controls. - Lynis: Perform comprehensive security audits. - SCAP Security Guide: Automate configuration hardening using Security Content Automation Protocol.

Cross-Platform:

- Ansible or Chef/Puppet: Automate configuration hardening at scale. - OpenSCAP: Perform compliance and configuration checks.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
2.0
Created
Modified
Raw hash
0ef95c4b9cfc8297...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 2.0 Current bundle 0ef95c4b9cfc…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    Microsoft COM

    Microsoft. (n.d.). Component Object Model (COM). Retrieved November 22, 2017.

    Open source URL
  2. [2]
    Microsoft BITS

    Microsoft. (n.d.). Background Intelligent Transfer Service. Retrieved January 12, 2018.

    Open source URL
  3. [3]
    Microsoft BITSAdmin

    Microsoft. (n.d.). BITSAdmin Tool. Retrieved January 12, 2018.

    Open source URL
  4. [4]
    CTU BITS Malware June 2016

    Counter Threat Unit Research Team. (2016, June 6). Malware Lingers with BITS. Retrieved January 12, 2018.

    Open source URL
  5. [5]
    Mondok Windows PiggyBack BITS May 2007

    Mondok, M. (2007, May 11). Malware piggybacks on Windows’ Background Intelligent Transfer Service. Retrieved January 12, 2018.

    Open source URL
  6. [6]
    Symantec BITS May 2007

    Florio, E. (2007, May 9). Malware Update with Windows Update. Retrieved January 12, 2018.

    Open source URL
  7. [7]
    PaloAlto UBoatRAT Nov 2017

    Hayashi, K. (2017, November 28). UBoatRAT Navigates East Asia. Retrieved January 12, 2018.

    Open source URL
  8. [8]
    mitre-attack T1197
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use