strelka icon indicating copy to clipboard operation
strelka copied to clipboard
verified publisher icon target

Adding BITS Scanner

Open phutelmyer opened this issue 3 years ago • 0 comments

Describe the change Adding Microsoft BITs file parser. Likely not going to be a file you come across during network scanning, but can be used in incident response or direct / enterprise fileshotting from a Windows host.

This PR adds in quite a few requirements + complexity as it is based off of FireEye's BitsParser. Unlike BitsParser, this scanner does not support deleted job extraction (BITS jobs are stored in the db, even if they're deleted from BITSAdmin) due to the size of arrays identified during testing (some arrays were seen to be 200+ records). This can likely be turned into an option to enable, though.

Describe testing procedures Works, but could likely use additional tuning + cleanup as noted by the amount of file changes required. Tested on several BITS files. Rebuilt Strelka using this PR and ran against several BITS db files.

Sample output

...
  },
  "scan": {
    "bits": {
      "elapsed": 0.041891,
      "jobs": [
        {
          "CreationTime": "2022-05-16T13:53:31Z",
          "JobDesc": "1cfd2d17-ff51-425d-9ca0-e400f3d930c6",
          "JobId": "26f51a10-ba58-4e3a-b43e-1ae4fca29c9e",
          "JobName": "Edge Component Updater",
          "JobPriority": "normal",
          "JobState": "transferred",
          "JobType": "download",
          "ModifiedTime": "2022-05-16T18:26:13Z",
          "OwnerSID": "S-1-5-21-2579307479-883959776-3753017356-1001"
        },
        {
          "CreationTime": "2022-05-15T22:37:24Z",
          "JobDesc": "hfnkpimlhhgieaddgfemjhofmfblmnib_7339_all_fknafaeudafn6nqldnkw35c4w4.crx3",
          "JobId": "f9189f6d-a130-4687-84fc-5ac6c9c4ee6c",
          "JobName": "Chrome Component Updater",
          "JobPriority": "normal",
          "JobState": "transferred",
          "JobType": "download",
          "ModifiedTime": "2022-05-16T18:31:36Z",
          "OwnerSID": "S-1-5-21-2579307479-883959776-3753017356-1001"
        },
        {
          "CommandExecuted": "c:\\ADS\\1.txt:cmd.exe",
          "CreationTime": "2022-05-16T18:27:29Z",
          "JobId": "513c0a32-1736-48f7-8a0b-d5c87d327ad9",
          "JobName": "myfile",
          "JobPriority": "normal",
          "JobState": "suspended",
          "JobType": "download",
          "ModifiedTime": "2022-05-16T18:28:54Z",
          "OwnerSID": "S-1-5-21-2579307479-883959776-3753017356-1001"
        }
      ]
    },
...

Checklist

  • [ ] My code follows the style guidelines of this project
  • [x] I have performed a self-review of and tested my code
  • [ ] I have commented my code, particularly in hard-to-understand areas
  • [ ] I have made corresponding changes to the documentation
  • [x] My changes generate no new warnings

phutelmyer avatar May 17 '22 00:05 phutelmyer