mgreen27/Bitsadmin.yaml

## Bitsadmin.yaml
name: Custom.Windows.EventLogs.Bitsadmin
author: "Matt Green - @mgreen27"
description: |
    This content will extract BITS Transfer events and enable filtering by URL

reference:
  - https://attack.mitre.org/techniques/T1197/
  - https://mgreen27.github.io/posts/2018/02/18/Sharing_my_BITS.html

parameters:
  - name: EventLog
    default: C:\Windows\System32\winevt\Logs\Microsoft-Windows-Bits-Client%4Operational.evtx
  - name: UrlWhitelistRegex
    description: Primary whitelist regex - anchor base domain - e.g *.live.com/*
    default: 'http(s|):(|.*\\.)(live|mozilla|sun|adobe|onenote|microsoft|windowsupdate|office365|google|gvt1|oracle|googleapis|hp)\\.(net|com|(|\\.au))(|:80|:443|:5985)/'
  - name: UrlWhitelistRegex2
    description: Secondary whitelist regex. Used for root domain e.g live.com/*
    default: 'http(s|)://aka.ms|(10|192)\\.d{1,3}\\.\\d{1,3}\\.\\d{1,3})(|:80|:443|:5985)/'
  - name: UrlWhitelistRegex3
    description: Secondary whitelist regex. Used for other regex.

sources:
  - precondition:
      SELECT OS From info() where OS = 'windows'

    query: |
      -- Find Files in scope
      LET files = SELECT * FROM glob(globs=EventLog)

      LET results = SELECT * FROM foreach(
        row=files,
        query={
            SELECT
                timestamp(epoch=int(int=System.TimeCreated.SystemTime)) AS EventTime,
                System.Computer as Computer,
                System.EventID.Value as EventId,
                System.Security.UserID as UserId,
                EventData.transferId as TransferId,
                EventData.name as Name,
                EventData.id as Id,
                EventData.url as Url,
                EventData.peer as Peer,
                timestamp(epoch=EventData.fileTime) as FileTime,
                EventData.fileLength as fileLength,
                EventData.bytesTotal as bytesTotal,
                EventData.bytesTransferred as bytesTransferred,
                EventData.bytesTransferredFromPeer
            FROM parse_evtx(filename=FullPath)
            WHERE
                EventId = 59
                AND NOT Url =~ UrlWhitelistRegex
                AND NOT Url =~ UrlWhitelistRegex2
                AND NOT Url =~ UrlWhitelistRegex3
        })

      SELECT * FROM results
	name: Custom.Windows.EventLogs.Bitsadmin
	author: "Matt Green - @mgreen27"
	description: \|
	This content will extract BITS Transfer events and enable filtering by URL

	reference:
	- https://attack.mitre.org/techniques/T1197/
	- https://mgreen27.github.io/posts/2018/02/18/Sharing_my_BITS.html

	parameters:
	- name: EventLog
	default: C:\Windows\System32\winevt\Logs\Microsoft-Windows-Bits-Client%4Operational.evtx
	- name: UrlWhitelistRegex
	description: Primary whitelist regex - anchor base domain - e.g .live.com/
	default: 'http(s\|):(\|.*\\.)(live\|mozilla\|sun\|adobe\|onenote\|microsoft\|windowsupdate\|office365\|google\|gvt1\|oracle\|googleapis\|hp)\\.(net\|com\|(\|\\.au))(\|:80\|:443\|:5985)/'
	- name: UrlWhitelistRegex2
	description: Secondary whitelist regex. Used for root domain e.g live.com/*
	default: 'http(s\|)://aka.ms\|(10\|192)\\.d{1,3}\\.\\d{1,3}\\.\\d{1,3})(\|:80\|:443\|:5985)/'
	- name: UrlWhitelistRegex3
	description: Secondary whitelist regex. Used for other regex.

	sources:
	- precondition:
	SELECT OS From info() where OS = 'windows'

	query: \|
	-- Find Files in scope
	LET files = SELECT * FROM glob(globs=EventLog)

	LET results = SELECT * FROM foreach(
	row=files,
	query={
	SELECT
	timestamp(epoch=int(int=System.TimeCreated.SystemTime)) AS EventTime,
	System.Computer as Computer,
	System.EventID.Value as EventId,
	System.Security.UserID as UserId,
	EventData.transferId as TransferId,
	EventData.name as Name,
	EventData.id as Id,
	EventData.url as Url,
	EventData.peer as Peer,
	timestamp(epoch=EventData.fileTime) as FileTime,
	EventData.fileLength as fileLength,
	EventData.bytesTotal as bytesTotal,
	EventData.bytesTransferred as bytesTransferred,
	EventData.bytesTransferredFromPeer
	FROM parse_evtx(filename=FullPath)
	WHERE
	EventId = 59
	AND NOT Url =~ UrlWhitelistRegex
	AND NOT Url =~ UrlWhitelistRegex2
	AND NOT Url =~ UrlWhitelistRegex3
	})

	SELECT * FROM results