-
Notifications
You must be signed in to change notification settings - Fork 11
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Create Windows.EventLogs.Bitsadmin.yaml (#158)
Added the BitsAdmin artifact from the Exchange so that is is available in R7 Velociraptor
- Loading branch information
1 parent
b25ad60
commit daf0d87
Showing
1 changed file
with
71 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,71 @@ | ||
| name: Windows.EventLogs.Bitsadmin | ||
| author: "Matt Green - @mgreen27" | ||
| description: | | ||
| This content will extract BITS Transfer events and enable filtering by URL | ||
| and TLD. | ||
| reference: | ||
| - https://attack.mitre.org/techniques/T1197/ | ||
| - https://mgreen27.github.io/posts/2018/02/18/Sharing_my_BITS.html | ||
|
|
||
| parameters: | ||
| - name: EventLog | ||
| default: C:\Windows\System32\winevt\Logs\Microsoft-Windows-Bits-Client%4Operational.evtx | ||
| - name: TldAllowListRegex | ||
| description: TLD allow list regex - anchor TLD - e.g live.com | ||
| default: '(office365|dell|live|mozilla|sun|adobe|onenote|microsoft|windowsupdate|google|oracle|hp)\.(net|com|(|\.au))|\.(office\.net|sentinelone\.net|connectwise.net)|(oneclient\.sfx|aka)\.ms|(10|192)\.d{1,3}\.\d{1,3}\.\d{1,3}' | ||
| - name: UrlAllowListRegex | ||
| description: Secondary whitelist regex. Used for Url | ||
|
|
||
| sources: | ||
| - precondition: | ||
| SELECT OS From info() where OS = 'windows' | ||
|
|
||
| query: | | ||
| -- Find Files in scope | ||
| LET files = SELECT * FROM glob(globs=EventLog) | ||
| LET results = SELECT * FROM foreach( | ||
| row=files, | ||
| query={ | ||
| SELECT | ||
| timestamp(epoch=int(int=System.TimeCreated.SystemTime)) AS EventTime, | ||
| System.Computer as Computer, | ||
| System.EventID.Value as EventId, | ||
| System.Security.UserID as UserId, | ||
| EventData.transferId as TransferId, | ||
| EventData.name as Name, | ||
| EventData.id as Id, | ||
| EventData.url as Url, | ||
| url(parse=EventData.url).Host AS TLD, | ||
| EventData.peer as Peer, | ||
| timestamp(epoch=EventData.fileTime) as FileTime, | ||
| EventData.fileLength as fileLength, | ||
| EventData.bytesTotal as bytesTotal, | ||
| EventData.bytesTransferred as bytesTransferred, | ||
| EventData.bytesTransferredFromPeer | ||
| FROM parse_evtx(filename=OSPath) | ||
| WHERE | ||
| EventId = 59 | ||
| AND NOT if( condition= TldAllowListRegex, | ||
| then= TLD =~ TldAllowListRegex, | ||
| else= FALSE) | ||
| AND NOT if( condition= UrlAllowListRegex, | ||
| then= Url =~ UrlAllowListRegex, | ||
| else= FALSE) | ||
| }) | ||
| SELECT * FROM results | ||
| notebook: | ||
| - type: vql_suggestion | ||
| name: Stack rank by TLD | ||
| template: | | ||
| /* | ||
| ## TLD stacking - find potential to add to Ignore regex and triage low counts | ||
| */ | ||
| SELECT TLD,count() as TldTotal, | ||
| Url as UrlExample | ||
| FROM source(artifact="Windows.EventLogs.Bitsadmin") | ||
| GROUP BY TLD | ||
| ORDER BY TldTotal |