BITS Jobs Persistence (T1197)

Background Intelligent Transfer Service (BITS):

BITS is a low-bandwidth, asynchronous file transfer service used by Windows applications to download or upload files in the background without disrupting network performance. It is widely used for software updates, messaging applications, and system maintenance. Attackers can exploit BITS to persistently execute code, download malware, or clean up traces of their activity.

T1197: BITS Jobs Persistence

How Attackers Use BITS for Persistence

Attackers leverage BITS jobs to:

Download and execute malicious payloads in the background.
Maintain persistence by scheduling execution even after reboots.
Evade detection since BITS operates without creating new files or modifying the registry.
They may use bitsadmin (deprecated) or PowerShell’s Start-BitsTransfer for execution.
Once executed, the job deletes itself, making forensic analysis harder.

BITS jobs can run for up to 90 days by default, with possible extensions.

Command-Line Tools Used for BITS Abuse

Attackers use these tools to create and manage BITS jobs:

BITSAdmin – A built-in Windows command-line tool for managing BITS jobs.
PowerShell Cmdlets – Start-BitsTransfer and other commands for manipulating BITS jobs.
Component Object Model (COM) – Allows programmatic control over BITS.

Background Intelligent Transfer Service (BITS):

T1197: BITS Jobs Persistence

How Attackers Use BITS for Persistence

Command-Line Tools Used for BITS Abuse

Example: Creating a Malicious BITS Job