Skip to content

Commit

Permalink
Added parser for ESE DB on Win10+
Browse files Browse the repository at this point in the history
  • Loading branch information
@danzek
danzek authored Jun 15, 2021
1 parent 26ba301 commit 057f79b
Showing 1 changed file with 3 additions and 1 deletion.
4 changes: 3 additions & 1 deletion Operating Systems/Windows/BITS.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -62,7 +62,7 @@ Relevant event logs are stored in:

Microsoft-Windows-Bits-Client/(Microsoft-Windows-Bits-Client/Operational.evtx

On newer versions of Windows 10, the BITS transfers are stored in a `.db` file (and I also observed `.log` files) in the same location. This appears to be an ESE database.
On newer versions of Windows 10, the BITS transfers are stored in a `qmgr.db` file (and I also observed `.log` files) in the same location. This is an ESE database and can be parsed with tools like [BitsParser](https://github.com/fireeye/BitsParser).

## Tools / Resources

Expand All @@ -85,3 +85,5 @@ On newer versions of Windows 10, the BITS transfers are stored in a `.db` file (
- [BITSInject](https://github.com/SafeBreach-Labs/BITSInject) is a one-click tool to inject jobs into the BITS queue, allowing arbitrary program execution as the `NT AUTHORITY/SYSTEM` account.

- [SecureWorks has written about malware leveraging BITS](https://www.secureworks.com/blog/malware-lingers-with-bits) to evade remediation.

- [FireEye BitsParser for the ESE database on Win10+.](https://github.com/fireeye/BitsParser)

0 comments on commit 057f79b

Please sign in to comment.