Merge pull request #89 from rathbuna/master

Add new maps, minor fixes, added documentation

evtx/Maps/Microsoft-Windows-Bits-Client-Operational_Microsoft-Windows-Bits-Client_3.map

@@ -42,6 +42,10 @@ Maps:
 # Documentation:
 # https://www.cecyf.fr/wp-content/uploads/2018/01/2018-CELTON-DELAHAYE-Analyse-des-jobs-BITS.pdf
 # https://jpcertcc.github.io/ToolAnalysisResultSheet/details/BITS.htm#SuccessCondition
+# https://www.adash.org/jfb/Training247/Bit_Deep_Dive_Tshoot.htm
+# https://docs.microsoft.com/de-de/security-updates/windowsupdateservices/18127392
+# https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc734695(v=ws.10)
+# https://www.sans.org/reading-room/whitepapers/forensics/bits-forensics-39195
 #
 # Example Event Data:
 # <Event>

evtx/Maps/Microsoft-Windows-Bits-Client-Operational_Microsoft-Windows-Bits-Client_4.map

@@ -4,42 +4,49 @@ EventId: 4
 Channel: Microsoft-Windows-Bits-Client/Operational
 Provider: Microsoft-Windows-Bits-Client
 Maps:
-   -
+  -
     Property: UserName
-    PropertyValue: "jobOwner: %jobOwner%%string2%"
+    PropertyValue: "%User%"
     Values: 
       - 
-        Name: jobOwner
+        Name: User
         Value: "/Event/EventData/Data[@Name=\"User\"]"
-   -
+  -
     Property: PayloadData1
     PropertyValue: "jobTitle: %jobTitle%"
     Values: 
       - 
         Name: jobTitle
         Value: "/Event/EventData/Data[@Name=\"jobTitle\"]"
-   -
+  -
     Property: PayloadData2
     PropertyValue: "jobId: %jobId%"
     Values: 
       - 
         Name: jobId
         Value: "/Event/EventData/Data[@Name=\"jobId\"]"
-   -
+  -
     Property: PayloadData3
     PropertyValue: "fileCount: %fileCount%"
     Values: 
       - 
         Name: fileCount
         Value: "/Event/EventData/Data[@Name=\"fileCount\"]" 
-   -
+  -
+    Property: PayloadData4
+    PropertyValue: "Bytes jobOwner: %jobOwner%"
+    Values: 
+      - 
+        Name: jobOwner
+        Value: "/Event/EventData/Data[@Name=\"jobOwner\"]"
+  -
     Property: PayloadData5
     PropertyValue: "Bytes Transferred: %bytesTransferred%"
     Values: 
       - 
         Name: bytesTransferred
         Value: "/Event/EventData/Data[@Name=\"bytesTransferred\"]" 
-   -
+  -
     Property: PayloadData6
     PropertyValue: "Bytes Transferred from Peer: %bytesTransferredFromPeer%"
     Values: 
@@ -49,33 +56,37 @@ Maps:
 
 # Documentation:
 # https://kb.eventtracker.com/evtpass/evtpages/EventId_4_Microsoft-Windows-Bits-Client_64107.asp
+# https://www.adash.org/jfb/Training247/Bit_Deep_Dive_Tshoot.htm
+# https://docs.microsoft.com/de-de/security-updates/windowsupdateservices/18127392
+# https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc734695(v=ws.10)
+# https://www.sans.org/reading-room/whitepapers/forensics/bits-forensics-39195
 #
 # Example Event Data:
 # <Event>
-  # <System>
-    # <Provider Name="Microsoft-Windows-Bits-Client" Guid="ef1cc15b-46c1-414e-bb95-e76b077bd51e" />
-    # <EventID>4</EventID>
-    # <Version>1</Version>
-    # <Level>4</Level>
-    # <Task>0</Task>
-    # <Opcode>0</Opcode>
-    # <Keywords>0x4000000000000000</Keywords>
-    # <TimeCreated SystemTime="2020-07-03 08:55:51.3562594" />
-    # <EventRecordID>2778</EventRecordID>
-    # <Correlation />
-    # <Execution ProcessID="1556" ThreadID="4812" />
-    # <Channel>Microsoft-Windows-Bits-Client/Operational</Channel>
-    # <Computer>MSEDGEWIN10</Computer>
-    # <Security UserID="S-1-5-18" />
-  # </System>
-  # <EventData>
-    # <Data Name="User">MSEDGEWIN10\IEUser</Data>
-    # <Data Name="jobTitle">Download LockScreen Image</Data>
-    # <Data Name="jobId">ff819706-9ff9-490b-ade5-b069232c5d23</Data>
-    # <Data Name="jobOwner">MSEDGEWIN10\IEUser</Data>
-    # <Data Name="fileCount">1</Data>
-    # <Data Name="bytesTransferred">162791</Data>
-    # <Data Name="bytesTransferredFromPeer">0</Data>
-  # </EventData>
-# </Event>
+#    <System>
+#      <Provider Name="Microsoft-Windows-Bits-Client" Guid="ef1cc15b-46c1-414e-bb95-e76b077bd51e" />
+#      <EventID>4</EventID>
+#      <Version>1</Version>
+#      <Level>4</Level>
+#      <Task>0</Task>
+#      <Opcode>0</Opcode>
+#      <Keywords>0x4000000000000000</Keywords>
+#      <TimeCreated SystemTime="2020-07-03 08:55:51.3562594" />
+#      <EventRecordID>2778</EventRecordID>
+#      <Correlation />
+#      <Execution ProcessID="1556" ThreadID="4812" />
+#      <Channel>Microsoft-Windows-Bits-Client/Operational</Channel>
+#      <Computer>MSEDGEWIN10</Computer>
+#      <Security UserID="S-1-5-18" />
+#    </System>
+#    <EventData>
+#      <Data Name="User">MSEDGEWIN10\IEUser</Data>
+#      <Data Name="jobTitle">Download LockScreen Image</Data>
+#      <Data Name="jobId">ff819706-9ff9-490b-ade5-b069232c5d23</Data>
+#      <Data Name="jobOwner">MSEDGEWIN10\IEUser</Data>
+#      <Data Name="fileCount">1</Data>
+#      <Data Name="bytesTransferred">162791</Data>
+#      <Data Name="bytesTransferredFromPeer">0</Data>
+#    </EventData>
+#  </Event>
 

evtx/Maps/Microsoft-Windows-Bits-Client-Operational_Microsoft-Windows-Bits-Client_5.map

@@ -0,0 +1,75 @@
+Author: Andrew Rathbun
+Description: BITS job cancellation
+EventId: 5
+Channel: Microsoft-Windows-Bits-Client/Operational
+Provider: Microsoft-Windows-Bits-Client
+Maps:
+  -
+    Property: UserName
+    PropertyValue: "%User%"
+    Values: 
+      - 
+        Name: User
+        Value: "/Event/EventData/Data[@Name=\"User\"]"
+  -
+    Property: PayloadData1
+    PropertyValue: "jobTitle: %jobTitle%"
+    Values: 
+      - 
+        Name: jobTitle
+        Value: "/Event/EventData/Data[@Name=\"jobTitle\"]"
+  -
+    Property: PayloadData2
+    PropertyValue: "jobId: %jobId%"
+    Values: 
+      - 
+        Name: jobId
+        Value: "/Event/EventData/Data[@Name=\"jobId\"]"
+  -
+    Property: PayloadData3
+    PropertyValue: "fileCount: %fileCount%"
+    Values: 
+      - 
+        Name: fileCount
+        Value: "/Event/EventData/Data[@Name=\"fileCount\"]" 
+  -
+    Property: PayloadData4
+    PropertyValue: "Bytes jobOwner: %jobOwner%"
+    Values: 
+      - 
+        Name: jobOwner
+        Value: "/Event/EventData/Data[@Name=\"jobOwner\"]"
+
+# Documentation:
+# https://kb.eventtracker.com/evtpass/evtpages/EventId_4_Microsoft-Windows-Bits-Client_64107.asp
+# https://www.adash.org/jfb/Training247/Bit_Deep_Dive_Tshoot.htm
+# https://docs.microsoft.com/de-de/security-updates/windowsupdateservices/18127392
+# https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc734695(v=ws.10)
+# https://www.sans.org/reading-room/whitepapers/forensics/bits-forensics-39195
+#
+# Example Event Data:
+# <Event>
+#   <System>
+#     <Provider Name="Microsoft-Windows-Bits-Client" Guid="ef1aa15b-46c1-414e-bb95-e76b077bd51e" />
+#     <EventID>5</EventID>
+#     <Version>0</Version>
+#     <Level>4</Level>
+#     <Task>0</Task>
+#     <Opcode>0</Opcode>
+#     <Keywords>0x4000060000000000</Keywords>
+#     <TimeCreated SystemTime="2020-09-27 13:50:51.9617212" />
+#     <EventRecordID>651942</EventRecordID>
+#     <Correlation ActivityID="41f524a4-9411-0001-322a-f5411194d601" />
+#     <Execution ProcessID="916" ThreadID="680" />
+#     <Channel>Microsoft-Windows-Bits-Client/Operational</Channel>
+#     <Computer>HOSTNAME.domain.com</Computer>
+#     <Security UserID="S-1-5-18" />
+#   </System>
+#   <EventData>
+#     <Data Name="User">NT AUTHORITY\SYSTEM</Data>
+#     <Data Name="jobTitle">CCM Message Upload {5F4D139A-8476-4FFB-BDCC-0A61ARDE528F}</Data>
+#     <Data Name="jobId">2679aae7-d9d0-4a03-b110-87eb72619f87</Data>
+#     <Data Name="jobOwner">NT AUTHORITY\SYSTEM</Data>
+#     <Data Name="fileCount">1</Data>
+#   </EventData>
+# </Event>

evtx/Maps/Microsoft-Windows-Bits-Client-Operational_Microsoft-Windows-Bits-Client_59.map

@@ -55,7 +55,8 @@ Maps:
 # https://jpcertcc.github.io/ToolAnalysisResultSheet/details/BITS.htm
 # https://www.sans.org/reading-room/whitepapers/forensics/bits-forensics-39195
 # https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc734695(v=ws.10)
-# https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc734713(v=ws.10)
+# https://www.adash.org/jfb/Training247/Bit_Deep_Dive_Tshoot.htm
+# https://docs.microsoft.com/de-de/security-updates/windowsupdateservices/18127392
 #
 # Example Event Data:
 #<Event>

evtx/Maps/Microsoft-Windows-Bits-Client-Operational_Microsoft-Windows-Bits-Client_60.map

@@ -55,43 +55,44 @@ Maps:
 # https://jpcertcc.github.io/ToolAnalysisResultSheet/details/BITS.htm
 # https://www.sans.org/reading-room/whitepapers/forensics/bits-forensics-39195
 # https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc734695(v=ws.10)
-# https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc734635(v=ws.10)
+# https://www.adash.org/jfb/Training247/Bit_Deep_Dive_Tshoot.htm
+# https://docs.microsoft.com/de-de/security-updates/windowsupdateservices/18127392
 #
 # Example Event Data:
-#<Event>
-#  <System>
-#    <Provider Name="Microsoft-Windows-Bits-Client" Guid="ef1ab15b-46c1-414e-bb95-e76b077bd51e" />
-#    <EventID>60</EventID>
-#    <Version>1</Version>
-#    <Level>4</Level>
-#    <Task>0</Task>
-#    <Opcode>2</Opcode>
-#    <Keywords>0x4000000800000000</Keywords>
-#    <TimeCreated SystemTime="2020-11-30 17:31:11.2022221" />
-#    <EventRecordID>1532</EventRecordID>
-#    <Correlation ActivityID="76099896-f8ef-40f3-853b-9d3725e4b2f7" />
-#    <Execution ProcessID="7788" ThreadID="16396" />
-#    <Channel>Microsoft-Windows-Bits-Client/Operational</Channel>
-#    <Computer>HOSTNAME</Computer>
-#    <Security UserID="S-1-5-18" />
-#  </System>
-#  <EventData>
-#    <Data Name="transferId">76052606-f8ef-40f3-853b-9d3725e4b2f7</Data>
-#    <Data Name="name">UpdateXml</Data>
-#    <Data Name="Id">f4ecc13b-4421-48a3-8766-4b987a0e5995</Data>
-#    <Data Name="url">https://g.live.com/123rewlive5skydrive/OneDriveProduction?OneDriveUpdate=f37fd774d9b58ea48d76eacfee1e</Data>
-#    <Data Name="peer"></Data>
-#    <Data Name="hr">0</Data>
-#    <Data Name="fileTime">2020-11-23 20:04:21.0000000</Data>
-#    <Data Name="fileLength">993</Data>
-#    <Data Name="bytesTotal">993</Data>
-#    <Data Name="bytesTransferred">993</Data>
-#    <Data Name="proxy"></Data>
-#    <Data Name="peerProtocolFlags">0</Data>
-#    <Data Name="bytesTransferredFromPeer">0</Data>
-#    <Data Name="AdditionalInfoHr">0</Data>
-#    <Data Name="PeerContextInfo">0</Data>
-#    <Data Name="bandwidthLimit">18446749973709551615</Data>
-#    <Data Name="ignoreBandwidthLimitsOnLan">False</Data>
-#  </EventData>
-#</Event>
+# <Event>
+#   <System>
+#     <Provider Name="Microsoft-Windows-Bits-Client" Guid="ef1ab15b-46c1-414e-bb95-e76b077bd51e" />
+#     <EventID>60</EventID>
+#     <Version>1</Version>
+#     <Level>4</Level>
+#     <Task>0</Task>
+#     <Opcode>2</Opcode>
+#     <Keywords>0x4000000800000000</Keywords>
+#     <TimeCreated SystemTime="2020-11-30 17:31:11.2022221" />
+#     <EventRecordID>1532</EventRecordID>
+#     <Correlation ActivityID="76099896-f8ef-40f3-853b-9d3725e4b2f7" />
+#     <Execution ProcessID="7788" ThreadID="16396" />
+#     <Channel>Microsoft-Windows-Bits-Client/Operational</Channel>
+#     <Computer>HOSTNAME</Computer>
+#     <Security UserID="S-1-5-18" />
+#   </System>
+#   <EventData>
+#     <Data Name="transferId">76052606-f8ef-40f3-853b-9d3725e4b2f7</Data>
+#     <Data Name="name">UpdateXml</Data>
+#     <Data Name="Id">f4ecc13b-4421-48a3-8766-4b987a0e5995</Data>
+#     <Data Name="url">https://g.live.com/123rewlive5skydrive/OneDriveProduction?OneDriveUpdate=f37fd774d9b58ea48d76eacfee1e</Data>
+#     <Data Name="peer"></Data>
+#     <Data Name="hr">0</Data>
+#     <Data Name="fileTime">2020-11-23 20:04:21.0000000</Data>
+#     <Data Name="fileLength">993</Data>
+#     <Data Name="bytesTotal">993</Data>
+#     <Data Name="bytesTransferred">993</Data>
+#     <Data Name="proxy"></Data>
+#     <Data Name="peerProtocolFlags">0</Data>
+#     <Data Name="bytesTransferredFromPeer">0</Data>
+#     <Data Name="AdditionalInfoHr">0</Data>
+#     <Data Name="PeerContextInfo">0</Data>
+#     <Data Name="bandwidthLimit">18446749973709551615</Data>
+#     <Data Name="ignoreBandwidthLimitsOnLan">False</Data>
+#   </EventData>
+# </Event>