This detection rule is designed to identify potential persistence mechanisms employed by adversaries utilizing the Background Intelligent Transfer Service (BITS) on Windows systems. By exploiting the SetNotifyCmdLine method, attackers can execute malicious programs after a BITS job completes, thereby maintaining their presence on the system. The rule looks for processes that are initiated by "svchost.exe" with specific arguments indicating BITS usage, while excluding known legitimate executables to reduce false positives. Investigators are guided on how to review process details, examine executable paths, and analyze command-line arguments, while also addressing common false positives and developing incident response strategies. This rule emphasizes the monitoring of BITS for unauthorized job executions, serving as a critical part of threat detection within endpoint protection strategies.