This detection rule aims to identify the creation of new Background Intelligent Transfer Service (BITS) jobs via the Bitsadmin utility on Windows systems. The rule is based on monitoring event ID 3, which corresponds to job creation, and filters for instances where the process path ends with '\bitsadmin.exe'. Given that legitimate applications may also utilize Bitsadmin for transferring files or task automation, the detection is assigned a low alert level. It is advised to correlate this event with other related events - specifically Event ID 16403 - for comprehensive context, particularly through the JobID field, to minimize false positive rates. The rule supports ongoing monitoring of potentially malicious activities that employ BITS for persistence or evasion of defenses.