BITS Transfer Jobs

WindowsPersistence MechanismsDisk Image

Location

C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

Description

Background Intelligent Transfer Service database tracking all BITS jobs including download URL, destination path, creation time, and job owner SID.

Forensic Value

Adversaries abuse BITS jobs for stealthy file downloads and persistence because BITS transfers survive reboots and run under the SYSTEM context. Parsing qmgr.db reveals download URLs for second-stage payloads, staging paths, and the exact user account that initiated the transfer. BITS jobs do not appear in standard proxy logs if the system uses direct connections.

Tools Required

KAPEBitsParserBITS-parser (ANSSI)

Collection Commands

KAPE

kape.exe --tsource C: --tdest C:\output --target BITSDb

BitsParser

python3 BitsParser.py -i "C:\ProgramData\Microsoft\Network\Downloader\qmgr.db" -o C:\output\bits_parsed.csv

PowerShell

Get-BitsTransfer -AllUsers | Format-List *

BITS-parser

python3 bits_parser.py "C:\ProgramData\Microsoft\Network\Downloader\qmgr.db" -o C:\output

Collection Constraints

•Availability, retention, and field coverage depend on the Windows release, SKU, per-host audit policy, and user activity. Treat absence as inconclusive unless you verified the feature was enabled.

MITRE ATT&CK Techniques

T1197T1105

References

Windows PowerShell Logging NTFS Change Journals Additional LSA Protection

Acquisition Methods

KAPE Triage Collection

windows — triage

FTK Imager Logical Image (AD1)

windows — logical

Velociraptor Remote Collection

windows — remote