[Osquery_manager] BITS artifact saved query

[tomsonpl]

BITS Jobs Monitoring Artifact

This PR adds osquery saved queries for monitoring BITS (Background Intelligent Transfer Service) file transfers to detect potential data exfiltration or malware downloads. BITS is commonly abused by adversaries for covert file transfers and persistence mechanisms (MITRE ATT&CK T1197).

Read https://p.elstc.co/paste/-pG3RF1v#qxFQ0hk08Sj4C1zZ8es5KgJ72sl1-LdcpPg3rMVLecP

Core Forensic Artifacts Coverage Table

#	Artifact	✓	OS	Query	File	Description
31	BITS Jobs Database	✅	Windows	bits_monitoring_windows_elastic	4b2e8f3a	Monitor BITS file transfers to detect suspicious external downloads

---

Queries by Platform

---

🪟 Windows - BITS Transfer Monitoring

Description

Monitors BITS (Background Intelligent Transfer Service) file transfers to identify potential security threats including data exfiltration, malware downloads, and persistence mechanisms. The query analyzes Windows Event Log Event ID 59 (BITS transfer completion) to detect transfers to non-whitelisted external domains.

Detection Focus:

• BITS transfers to non-whitelisted external domains (potential C2 communication)
• Downloads from unusual or suspicious sources
• File transfer activity outside typical enterprise patterns
• Covert data exfiltration using BITS service
• Malware downloads leveraging BITS for persistence

Filtering Strategy:

• Allowlist: Excludes known-good vendors (Microsoft, Adobe, Google, Oracle, HP, Mozilla)
• Private Networks: Filters out internal IP ranges (10.x, 192.168.x, 172.16-31.x)
• Focus: Alerts only on non-whitelisted external file transfers

Results

Query returns BITS transfer events with:

• Transfer timestamp and event details
• Full URL and extracted hostname
• BITS job/file name
• Provider information

Results indicate suspicious external file transfer activity requiring investigation.

Platform

windows

Interval

3600 seconds (1 hour)

Query ID

bits_monitoring_windows_elastic

ECS Field Mappings

• event.category → ["network"]
• event.type → ["connection", "info"]
• event.action → ["bits-transfer"]
• event.code → eventid
• event.provider → provider_name
• url.full → Url
• url.domain → Host
• file.name → Name
• tags → ["persistence", "defense_evasion", "bits_jobs", "network_transfer", "mitre_t1197"]

SQL Query

-- Monitor BITS (Background Intelligent Transfer Service) file transfers
-- Source: Windows Event Log (Microsoft-Windows-Bits-Client/Operational)
-- Event ID 59: BITS transfer completion events
-- Focus: External/suspicious download sources (filters out known-good vendors and private IPs)
-- MITRE ATT&CK: T1197 (BITS Jobs)

WITH extracted AS (
    SELECT
        datetime,
        provider_name,
        eventid,
        json_extract(data, '$.EventData.url') AS Url,
        split(
            replace(
                replace(json_extract(data, '$.EventData.url'), 'https://', ''),
                'http://', ''
            ),
            '/', 1
        ) AS Host,
        json_extract(data, '$.EventData.name') AS Name
    FROM windows_eventlog
    WHERE channel = 'Microsoft-Windows-Bits-Client/Operational'
      AND eventid = 59
)

SELECT *
FROM extracted
WHERE regex_match(
    Host,
    '(office365\.com|office\.net|windowsupdate\.com|live\.com|mozilla\.com|adobe\.com|microsoft\.com|google\.com|oracle\.com|hp\.com|aka\.ms|gvt1\.com|oneclient\.sfx\.ms|10\..*|192\.168\..*|172\.(1[6-9]|2[0-9]|3[0-1])\..*)',
    0
) IS NULL;

MITRE ATT&CK Coverage

Technique: T1197 - BITS Jobs

• Tactics: Defense Evasion, Persistence
• Description: Adversaries abuse BITS for covert file transfers, malware downloads, and establishing persistence
• Detection: Identifies BITS transfers to suspicious external hosts outside normal enterprise patterns

---

[elasticmachine]

💚 Build Succeeded

• Buildkite Build
• Commit: 0652299

cc @tomsonpl