This detection rule identifies the use of BITSAdmin, a command-line tool for managing background intelligent transfers, which is frequently utilized by threat actors for various malicious activities. BITSAdmin can be leveraged for actions such as job persistence, lateral movement, and exfiltration, especially in an environment that aims to remain undetected. The rule is built to analyze Sysmon event logs, checking for events that involve the execution of the BITSAdmin process. This behavior is often associated with well-known threat actors, including Andariel, APT31, and others, who utilize this tool as part of their tactics, techniques, and procedures (TTPs). The detection includes filtering for specific event codes that signal the invocation of BITSAdmin, and organizes relevant data such as timestamps, hostnames, user accounts, and process relationships to facilitate incident response and forensic analysis. By focusing on these indicators, organizations can better identify potential breaches or insider threats utilizing BITSAdmin in unauthorized ways. The gathered intelligence from the perspective of known threat actor techniques enhances the rule's ability to mitigate risks associated with modern cyber threats.