Create BITS Scanner (FireEye BitsParser) #165

phutelmyer · 2021-04-01T15:11:47Z

Is your feature request related to a problem? Please describe.
FireEye recently released a Windows BITS parser
which may be useful for passive data collection and storage of BITS jobs. While the BITS
database is unlikely be to transferred over the network (if you're using Strelka as a network
security tool), users may be able to submit this file from one or many hosts to perform
large scale BITS collection without the need for a separate endpoint querying tool.

Describe the solution you'd like
Create a scanner that will take in a BITS database and provide a list of
dictionaries, like the following:

{
    "JobType": "download",
    "JobPriority": "normal",
    "JobState": "suspended",
    "JobId": "b733e5e1-12ad-463e-a125-ade26cc1fab6",
    "JobName": "SpeechModelDownloadJob",
    "OwnerSID": "S-1-5-20",
    "Owner": "NT AUTHORITY\\NETWORK SERVICE",
    "CreationTime": "2021-01-25T11:52:05Z",
    "ModifiedTime": "2021-01-25T12:45:21Z"
}

Describe alternatives you've considered
N/A

Additional context
N/A

The text was updated successfully, but these errors were encountered:

phutelmyer · 2022-05-17T00:36:41Z

PR for this work

The above PR adds in quite a few requirements + complexity
as it is based off of FireEye's BitsParser.

Works, but could likely use additional tuning + cleanup. Tested on several BITS files:

...
  },
  "scan": {
    "bits": {
      "elapsed": 0.041891,
      "jobs": [
        {
          "CreationTime": "2022-05-16T13:53:31Z",
          "JobDesc": "1cfd2d17-ff51-425d-9ca0-e400f3d930c6",
          "JobId": "26f51a10-ba58-4e3a-b43e-1ae4fca29c9e",
          "JobName": "Edge Component Updater",
          "JobPriority": "normal",
          "JobState": "transferred",
          "JobType": "download",
          "ModifiedTime": "2022-05-16T18:26:13Z",
          "OwnerSID": "S-1-5-21-2579307479-883959776-3753017356-1001"
        },
        {
          "CreationTime": "2022-05-15T22:37:24Z",
          "JobDesc": "hfnkpimlhhgieaddgfemjhofmfblmnib_7339_all_fknafaeudafn6nqldnkw35c4w4.crx3",
          "JobId": "f9189f6d-a130-4687-84fc-5ac6c9c4ee6c",
          "JobName": "Chrome Component Updater",
          "JobPriority": "normal",
          "JobState": "transferred",
          "JobType": "download",
          "ModifiedTime": "2022-05-16T18:31:36Z",
          "OwnerSID": "S-1-5-21-2579307479-883959776-3753017356-1001"
        },
        {
          "CommandExecuted": "c:\\ADS\\1.txt:cmd.exe",
          "CreationTime": "2022-05-16T18:27:29Z",
          "JobId": "513c0a32-1736-48f7-8a0b-d5c87d327ad9",
          "JobName": "myfile",
          "JobPriority": "normal",
          "JobState": "suspended",
          "JobType": "download",
          "ModifiedTime": "2022-05-16T18:28:54Z",
          "OwnerSID": "S-1-5-21-2579307479-883959776-3753017356-1001"
        }
      ]
    },
...

phutelmyer · 2022-05-17T00:40:37Z

Context for BITS if needed: https://www.mandiant.com/resources/attacker-use-of-windows-background-intelligent-transfer-service

phutelmyer added the enhancement New feature or request label Apr 1, 2021

phutelmyer self-assigned this May 15, 2022

phutelmyer linked a pull request May 17, 2022 that will close this issue

Adding BITS Scanner #208

Merged

5 tasks

phutelmyer closed this as completed May 30, 2022

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Create BITS Scanner (FireEye BitsParser) #165

Create BITS Scanner (FireEye BitsParser) #165

phutelmyer commented Apr 1, 2021

phutelmyer commented May 17, 2022 •

edited

Loading

phutelmyer commented May 17, 2022

Create BITS Scanner (FireEye BitsParser) #165

Create BITS Scanner (FireEye BitsParser) #165

Comments

phutelmyer commented Apr 1, 2021

phutelmyer commented May 17, 2022 • edited Loading

phutelmyer commented May 17, 2022

phutelmyer commented May 17, 2022 •

edited

Loading