Analytics Alerts
Browse the Cortex analytics alert reference.
1 alert match the current filters. tactic: TA0003 ✕ technique: T1197 ✕
Show ATT&CK heatmapBitsadmin.exe persistence using command-line callback Medium
BITSAdmin.exe was used with a command-line that may indicate malware trying to gain persistence on the machine.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003)ATT&CK techniques: BITS Jobs (T1197)Required data: XDR AgentAttacker's goals: Gain persistence using the legitimate bitsadmin 'setnotifycmdline' mechanism, which triggers process executions once a Bits job is done or fails.Investigative actions: Check if the command line contains any malicious indicators. Check if the parent process is suspicious. Check if the command-line used to persist is malicious or references a malicious binary.