Esc
BITS Jobs - T1197
(ATT&CK® Technique)
Definition
Adversaries may abuse BITS jobs to persistently execute code and perform various background tasks. Windows Background Intelligent Transfer Service (BITS) is a low-bandwidth, asynchronous file transfer mechanism exposed through Component Object Model (COM). BITS is commonly used by updaters, messengers, and other applications preferred to operate in the background (using available idle bandwidth) without interrupting other networked applications. File transfer tasks are implemented as BITS jobs, which contain a queue of one or more file operations.
D3FEND Inferred Relationships
Browse the D3FEND knowledge graph by clicking on the nodes below.
graph LR;
T1197["BITS Jobs"] --> |may-produce| IntranetIPCNetworkTraffic["Intranet IPC Network Traffic"]; class T1197 OffensiveTechniqueNode;
class IntranetIPCNetworkTraffic ArtifactNode; click IntranetIPCNetworkTraffic href "/dao/artifact/d3f:IntranetIPCNetworkTraffic";
click T1197 href "/offensive-technique/attack/T1197/"; click IntranetIPCNetworkTraffic href "/dao/artifact/d3f:IntranetIPCNetworkTraffic"; T1197["BITS Jobs"] --> |may-produce| IntranetWebNetworkTraffic["Intranet Web Network Traffic"]; class T1197 OffensiveTechniqueNode;
class IntranetWebNetworkTraffic ArtifactNode; click IntranetWebNetworkTraffic href "/dao/artifact/d3f:IntranetWebNetworkTraffic";
click T1197 href "/offensive-technique/attack/T1197/"; click IntranetWebNetworkTraffic href "/dao/artifact/d3f:IntranetWebNetworkTraffic"; T1197["BITS Jobs"] --> |may-produce| OutboundInternetWebTraffic["Outbound Internet Web Traffic"]; class T1197 OffensiveTechniqueNode;
class OutboundInternetWebTraffic ArtifactNode; click OutboundInternetWebTraffic href "/dao/artifact/d3f:OutboundInternetWebTraffic";
click T1197 href "/offensive-technique/attack/T1197/"; click OutboundInternetWebTraffic href "/dao/artifact/d3f:OutboundInternetWebTraffic"; PerHostDownload-UploadRatioAnalysis["Per Host Download-Upload Ratio Analysis"] -->
| analyzes | IntranetWebNetworkTraffic["Intranet Web Network Traffic"];
PerHostDownload-UploadRatioAnalysis["Per Host Download-Upload Ratio Analysis"] -.->
| may-detect | T1197["BITS Jobs"] ;
class PerHostDownload-UploadRatioAnalysis DefensiveTechniqueNode;
class IntranetWebNetworkTraffic ArtifactNode;
click PerHostDownload-UploadRatioAnalysis href "/technique/d3f:PerHostDownload-UploadRatioAnalysis"; PerHostDownload-UploadRatioAnalysis["Per Host Download-Upload Ratio Analysis"] -->
| analyzes | OutboundInternetWebTraffic["Outbound Internet Web Traffic"];
class PerHostDownload-UploadRatioAnalysis DefensiveTechniqueNode;
class OutboundInternetWebTraffic ArtifactNode;
click PerHostDownload-UploadRatioAnalysis href "/technique/d3f:PerHostDownload-UploadRatioAnalysis"; PerHostDownload-UploadRatioAnalysis["Per Host Download-Upload Ratio Analysis"] -->
| analyzes | IntranetIPCNetworkTraffic["Intranet IPC Network Traffic"];
class PerHostDownload-UploadRatioAnalysis DefensiveTechniqueNode;
class IntranetIPCNetworkTraffic ArtifactNode;
click PerHostDownload-UploadRatioAnalysis href "/technique/d3f:PerHostDownload-UploadRatioAnalysis"; RemoteTerminalSessionDetection["Remote Terminal Session Detection"] -->
| analyzes | IntranetWebNetworkTraffic["Intranet Web Network Traffic"];
RemoteTerminalSessionDetection["Remote Terminal Session Detection"] -.->
| may-detect | T1197["BITS Jobs"] ;
class RemoteTerminalSessionDetection DefensiveTechniqueNode;
class IntranetWebNetworkTraffic ArtifactNode;
click RemoteTerminalSessionDetection href "/technique/d3f:RemoteTerminalSessionDetection"; RemoteTerminalSessionDetection["Remote Terminal Session Detection"] -->
| analyzes | OutboundInternetWebTraffic["Outbound Internet Web Traffic"];
class RemoteTerminalSessionDetection DefensiveTechniqueNode;
class OutboundInternetWebTraffic ArtifactNode;
click RemoteTerminalSessionDetection href "/technique/d3f:RemoteTerminalSessionDetection"; IPCTrafficAnalysis["IPC Traffic Analysis"] -->
| analyzes | IntranetIPCNetworkTraffic["Intranet IPC Network Traffic"];
IPCTrafficAnalysis["IPC Traffic Analysis"] -.->
| may-detect | T1197["BITS Jobs"] ;
class IPCTrafficAnalysis DefensiveTechniqueNode;
class IntranetIPCNetworkTraffic ArtifactNode;
click IPCTrafficAnalysis href "/technique/d3f:IPCTrafficAnalysis"; ConnectionAttemptAnalysis["Connection Attempt Analysis"] -->
| analyzes | IntranetWebNetworkTraffic["Intranet Web Network Traffic"];
ConnectionAttemptAnalysis["Connection Attempt Analysis"] -.->
| may-detect | T1197["BITS Jobs"] ;
class ConnectionAttemptAnalysis DefensiveTechniqueNode;
class IntranetWebNetworkTraffic ArtifactNode;
click ConnectionAttemptAnalysis href "/technique/d3f:ConnectionAttemptAnalysis"; RemoteTerminalSessionDetection["Remote Terminal Session Detection"] -->
| analyzes | IntranetIPCNetworkTraffic["Intranet IPC Network Traffic"];
class RemoteTerminalSessionDetection DefensiveTechniqueNode;
class IntranetIPCNetworkTraffic ArtifactNode;
click RemoteTerminalSessionDetection href "/technique/d3f:RemoteTerminalSessionDetection"; ProtocolMetadataAnomalyDetection["Protocol Metadata Anomaly Detection"] -->
| analyzes | OutboundInternetWebTraffic["Outbound Internet Web Traffic"];
ProtocolMetadataAnomalyDetection["Protocol Metadata Anomaly Detection"] -.->
| may-detect | T1197["BITS Jobs"] ;
class ProtocolMetadataAnomalyDetection DefensiveTechniqueNode;
class OutboundInternetWebTraffic ArtifactNode;
click ProtocolMetadataAnomalyDetection href "/technique/d3f:ProtocolMetadataAnomalyDetection"; ProtocolMetadataAnomalyDetection["Protocol Metadata Anomaly Detection"] -->
| analyzes | IntranetIPCNetworkTraffic["Intranet IPC Network Traffic"];
class ProtocolMetadataAnomalyDetection DefensiveTechniqueNode;
class IntranetIPCNetworkTraffic ArtifactNode;
click ProtocolMetadataAnomalyDetection href "/technique/d3f:ProtocolMetadataAnomalyDetection"; ProtocolMetadataAnomalyDetection["Protocol Metadata Anomaly Detection"] -->
| analyzes | IntranetWebNetworkTraffic["Intranet Web Network Traffic"];
class ProtocolMetadataAnomalyDetection DefensiveTechniqueNode;
class IntranetWebNetworkTraffic ArtifactNode;
click ProtocolMetadataAnomalyDetection href "/technique/d3f:ProtocolMetadataAnomalyDetection"; RelayPatternAnalysis["Relay Pattern Analysis"] -->
| analyzes | OutboundInternetWebTraffic["Outbound Internet Web Traffic"];
RelayPatternAnalysis["Relay Pattern Analysis"] -.->
| may-detect | T1197["BITS Jobs"] ;
class RelayPatternAnalysis DefensiveTechniqueNode;
class OutboundInternetWebTraffic ArtifactNode;
click RelayPatternAnalysis href "/technique/d3f:RelayPatternAnalysis"; Client-serverPayloadProfiling["Client-server Payload Profiling"] -->
| analyzes | OutboundInternetWebTraffic["Outbound Internet Web Traffic"];
Client-serverPayloadProfiling["Client-server Payload Profiling"] -.->
| may-detect | T1197["BITS Jobs"] ;
class Client-serverPayloadProfiling DefensiveTechniqueNode;
class OutboundInternetWebTraffic ArtifactNode;
click Client-serverPayloadProfiling href "/technique/d3f:Client-serverPayloadProfiling"; Client-serverPayloadProfiling["Client-server Payload Profiling"] -->
| analyzes | IntranetIPCNetworkTraffic["Intranet IPC Network Traffic"];
class Client-serverPayloadProfiling DefensiveTechniqueNode;
class IntranetIPCNetworkTraffic ArtifactNode;
click Client-serverPayloadProfiling href "/technique/d3f:Client-serverPayloadProfiling"; Client-serverPayloadProfiling["Client-server Payload Profiling"] -->
| analyzes | IntranetWebNetworkTraffic["Intranet Web Network Traffic"];
class Client-serverPayloadProfiling DefensiveTechniqueNode;
class IntranetWebNetworkTraffic ArtifactNode;
click Client-serverPayloadProfiling href "/technique/d3f:Client-serverPayloadProfiling"; NetworkTrafficCommunityDeviation["Network Traffic Community Deviation"] -->
| analyzes | IntranetIPCNetworkTraffic["Intranet IPC Network Traffic"];
NetworkTrafficCommunityDeviation["Network Traffic Community Deviation"] -.->
| may-detect | T1197["BITS Jobs"] ;
class NetworkTrafficCommunityDeviation DefensiveTechniqueNode;
class IntranetIPCNetworkTraffic ArtifactNode;
click NetworkTrafficCommunityDeviation href "/technique/d3f:NetworkTrafficCommunityDeviation"; NetworkTrafficCommunityDeviation["Network Traffic Community Deviation"] -->
| analyzes | IntranetWebNetworkTraffic["Intranet Web Network Traffic"];
class NetworkTrafficCommunityDeviation DefensiveTechniqueNode;
class IntranetWebNetworkTraffic ArtifactNode;
click NetworkTrafficCommunityDeviation href "/technique/d3f:NetworkTrafficCommunityDeviation"; NetworkTrafficCommunityDeviation["Network Traffic Community Deviation"] -->
| analyzes | OutboundInternetWebTraffic["Outbound Internet Web Traffic"];
class NetworkTrafficCommunityDeviation DefensiveTechniqueNode;
class OutboundInternetWebTraffic ArtifactNode;
click NetworkTrafficCommunityDeviation href "/technique/d3f:NetworkTrafficCommunityDeviation"; ConnectionAttemptAnalysis["Connection Attempt Analysis"] -->
| analyzes | IntranetIPCNetworkTraffic["Intranet IPC Network Traffic"];
class ConnectionAttemptAnalysis DefensiveTechniqueNode;
class IntranetIPCNetworkTraffic ArtifactNode;
click ConnectionAttemptAnalysis href "/technique/d3f:ConnectionAttemptAnalysis"; NetworkTrafficSignatureAnalysis["Network Traffic Signature Analysis"] -->
| analyzes | OutboundInternetWebTraffic["Outbound Internet Web Traffic"];
NetworkTrafficSignatureAnalysis["Network Traffic Signature Analysis"] -.->
| may-detect | T1197["BITS Jobs"] ;
class NetworkTrafficSignatureAnalysis DefensiveTechniqueNode;
class OutboundInternetWebTraffic ArtifactNode;
click NetworkTrafficSignatureAnalysis href "/technique/d3f:NetworkTrafficSignatureAnalysis"; NetworkTrafficSignatureAnalysis["Network Traffic Signature Analysis"] -->
| analyzes | IntranetIPCNetworkTraffic["Intranet IPC Network Traffic"];
class NetworkTrafficSignatureAnalysis DefensiveTechniqueNode;
class IntranetIPCNetworkTraffic ArtifactNode;
click NetworkTrafficSignatureAnalysis href "/technique/d3f:NetworkTrafficSignatureAnalysis"; NetworkTrafficSignatureAnalysis["Network Traffic Signature Analysis"] -->
| analyzes | IntranetWebNetworkTraffic["Intranet Web Network Traffic"];
class NetworkTrafficSignatureAnalysis DefensiveTechniqueNode;
class IntranetWebNetworkTraffic ArtifactNode;
click NetworkTrafficSignatureAnalysis href "/technique/d3f:NetworkTrafficSignatureAnalysis"; UserGeolocationLogonPatternAnalysis["User Geolocation Logon Pattern Analysis"] -->
| analyzes | IntranetWebNetworkTraffic["Intranet Web Network Traffic"];
UserGeolocationLogonPatternAnalysis["User Geolocation Logon Pattern Analysis"] -.->
| may-detect | T1197["BITS Jobs"] ;
class UserGeolocationLogonPatternAnalysis DefensiveTechniqueNode;
class IntranetWebNetworkTraffic ArtifactNode;
click UserGeolocationLogonPatternAnalysis href "/technique/d3f:UserGeolocationLogonPatternAnalysis"; UserGeolocationLogonPatternAnalysis["User Geolocation Logon Pattern Analysis"] -->
| analyzes | OutboundInternetWebTraffic["Outbound Internet Web Traffic"];
class UserGeolocationLogonPatternAnalysis DefensiveTechniqueNode;
class OutboundInternetWebTraffic ArtifactNode;
click UserGeolocationLogonPatternAnalysis href "/technique/d3f:UserGeolocationLogonPatternAnalysis"; UserGeolocationLogonPatternAnalysis["User Geolocation Logon Pattern Analysis"] -->
| analyzes | IntranetIPCNetworkTraffic["Intranet IPC Network Traffic"];
class UserGeolocationLogonPatternAnalysis DefensiveTechniqueNode;
class IntranetIPCNetworkTraffic ArtifactNode;
click UserGeolocationLogonPatternAnalysis href "/technique/d3f:UserGeolocationLogonPatternAnalysis"; NetworkTrafficFiltering["Network Traffic Filtering"] -->
| filters | IntranetWebNetworkTraffic["Intranet Web Network Traffic"];
NetworkTrafficFiltering["Network Traffic Filtering"] -.->
| may-isolate | T1197["BITS Jobs"] ;
class NetworkTrafficFiltering DefensiveTechniqueNode;
class IntranetWebNetworkTraffic ArtifactNode;
click NetworkTrafficFiltering href "/technique/d3f:NetworkTrafficFiltering"; NetworkTrafficFiltering["Network Traffic Filtering"] -->
| filters | OutboundInternetWebTraffic["Outbound Internet Web Traffic"];
class NetworkTrafficFiltering DefensiveTechniqueNode;
class OutboundInternetWebTraffic ArtifactNode;
click NetworkTrafficFiltering href "/technique/d3f:NetworkTrafficFiltering"; NetworkTrafficFiltering["Network Traffic Filtering"] -->
| filters | IntranetIPCNetworkTraffic["Intranet IPC Network Traffic"];
class NetworkTrafficFiltering DefensiveTechniqueNode;
class IntranetIPCNetworkTraffic ArtifactNode;
click NetworkTrafficFiltering href "/technique/d3f:NetworkTrafficFiltering"; OutboundTrafficFiltering["Outbound Traffic Filtering"] -->
| filters | OutboundInternetWebTraffic["Outbound Internet Web Traffic"];
OutboundTrafficFiltering["Outbound Traffic Filtering"] -.->
| may-isolate | T1197["BITS Jobs"] ;
class OutboundTrafficFiltering DefensiveTechniqueNode;
class OutboundInternetWebTraffic ArtifactNode;
click OutboundTrafficFiltering href "/technique/d3f:OutboundTrafficFiltering";