Windows.EventLogs.Bitsadmin :: Velociraptor

Windows.EventLogs.Bitsadmin
This content will extract BITS Transfer events and enable filtering by URL and TLD.

name: Windows.EventLogs.Bitsadmin
author: "Matt Green - @mgreen27"
description: |
    This content will extract BITS Transfer events and enable filtering by URL 
    and TLD.

reference:
  - https://attack.mitre.org/techniques/T1197/
  - https://mgreen27.github.io/posts/2018/02/18/Sharing_my_BITS.html

parameters:
  - name: EventLog
    default: C:\Windows\System32\winevt\Logs\Microsoft-Windows-Bits-Client%4Operational.evtx
  - name: TldAllowListRegex
    description: TLD allow list regex - anchor TLD - e.g live.com
    default: '(office365|dell|live|mozilla|sun|adobe|onenote|microsoft|windowsupdate|google|oracle|hp)\.(net|com|(|\.au))|\.(office\.net|sentinelone\.net|connectwise.net)|(oneclient\.sfx|aka)\.ms|(10|192)\.d{1,3}\.\d{1,3}\.\d{1,3}'
  - name: UrlAllowListRegex
    description: Secondary whitelist regex. Used for Url

sources:
  - precondition:
      SELECT OS From info() where OS = 'windows'

    query: |
      -- Find Files in scope
      LET files = SELECT * FROM glob(globs=EventLog)
      
      LET results = SELECT * FROM foreach(
        row=files,
        query={
            SELECT
                timestamp(epoch=int(int=System.TimeCreated.SystemTime)) AS EventTime,
                System.Computer as Computer,
                System.EventID.Value as EventId,
                System.Security.UserID as UserId,
                EventData.transferId as TransferId,
                EventData.name as Name,
                EventData.id as Id,
                EventData.url as Url,
                url(parse=EventData.url).Host AS TLD,
                EventData.peer as Peer,
                timestamp(epoch=EventData.fileTime) as FileTime,
                EventData.fileLength as fileLength,
                EventData.bytesTotal as bytesTotal,
                EventData.bytesTransferred as bytesTransferred,
                EventData.bytesTransferredFromPeer
            FROM parse_evtx(filename=OSPath)
            WHERE 
                EventId = 59
                AND NOT if( condition= TldAllowListRegex,
                            then= TLD =~ TldAllowListRegex,
                            else= FALSE)
                AND NOT if( condition= UrlAllowListRegex,
                            then= Url =~ UrlAllowListRegex,
                            else= FALSE)
        })

      SELECT * FROM results
      
    notebook:
      - type: vql_suggestion
        name: Stack rank by TLD
        template: |
            /*
            ## TLD stacking - find potential to add to Ignore regex and triage low counts
            */
            SELECT TLD,count() as TldTotal,
                Url as UrlExample
            FROM source(artifact="Windows.EventLogs.Bitsadmin")
            GROUP BY TLD
            ORDER BY TldTotal