# T1197: BITS Jobs Adversaries may abuse BITS jobs persistently execute or clean up after malicious payloads. Windows Background Intelligent Transfer Service (BITS) is a low-bandwidth, asynchronous file transfer mechanism exposed through Component Object Model (COM). BITS is commonly used by updates, messengers, and other applications preferred to operate in the background (using available idle bandwidth) without interrupting other networked applications. File transfer tasks are implemented as BITS jobs, which contain a queue of one or more file operations. The interface to create and manage BITS jobs is accessible through PowerShell and the BITSAdmin tool. Adversaries may abuse BITS to download, execute and even clean up after running malicious code. BITS tasks are self-contained in the BITS job database, without new files or registry modifications, and often permitted by host firewalls. BITS enabled execution may also enable persistence by creating long-standing jobs (the default maximum lifetime is 90 days and extendable) or invoking an arbitrary program when a job completes or errors (including after system reboots). BITS upload functionalities can also be used to perform Exfiltration Over Alternative Protocol. In the following example I will create a simple bitsadmin job with user Privileges this will start a calc process to execute. First we use the /create option to create our job ![](https://gblobscdn.gitbook.com/assets%2F-MRh03Vwd4nuiUi3Oje7%2F-MRhHFLvttKgY6bV3sia%2F-MRhHQy4iHJgIxe6ZNLr%2Fimage.png?alt=media\&token=19bfe3b8-d5f6-484e-a1d5-1a8eb96eec42) We will attach a file as well: ![](https://gblobscdn.gitbook.com/assets%2F-MRh03Vwd4nuiUi3Oje7%2F-MRhHFLvttKgY6bV3sia%2F-MRhHPCtA-UJsmpNG3p8%2Fimage.png?alt=media\&token=66c32a6e-a9e5-40cd-a694-452be91fb020) A file needs to be created for the job to function properly. Then we will use the SetNotifyCmdLine Parameter this will set a program to execute for notification, and can optionally take parameters. These options can also be NULL. ![](https://gblobscdn.gitbook.com/assets%2F-MRh03Vwd4nuiUi3Oje7%2F-MRhHFLvttKgY6bV3sia%2F-MRhHQ6sMtPfOwuFHTyv%2Fimage.png?alt=media\&token=20827727-b4a0-4f52-9c10-8fcfbe022ba0) Too much of an extra step but we will call cmd to start a calc process on our job ![](https://gblobscdn.gitbook.com/assets%2F-MRh03Vwd4nuiUi3Oje7%2F-MRhHFLvttKgY6bV3sia%2F-MRhHRuDy4uuyAthh-aD%2Fimage.png?alt=media\&token=25f48efe-3aed-4cc9-99fb-49aabf7ed5f8) Demo: ![](https://gblobscdn.gitbook.com/assets%2F-MRh03Vwd4nuiUi3Oje7%2F-MRhHFLvttKgY6bV3sia%2F-MRhI5u9Sp5UxfhkntAF%2FBitsAdmin-Sample.gif?alt=media\&token=74460b51-06fd-4fe3-ac9e-6270d5d223f3) References: LOLBAS --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://dmcxblue.gitbook.io/red-team-notes-2-0/red-team-techniques/defense-evasion/untitled-2.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.