Message

BITS job "%2" with ID %1 has been resumed.

Fields

Message

BITS job "%2" with ID %1 has been suspended.

Fields

Message

The BITS service created a new job: %1, with owner %2

Fields

Example Event

system:
  provider: Microsoft-Windows-Bits-Client
  guid: EF1CC15B-46C1-414E-BB95-E76B077BD51E
  event_source_name: ''
  event_id: 3
  version: 3
  level: 4
  task: 0
  opcode: 0
  keywords: 4611686018427387904
  time_created: '2023-11-06T01:45:20.897391+00:00'
  event_record_id: 432
  correlation:
    ActivityID: E4DB489E-1037-0002-3588-E4E43710DA01
  execution:
    process_id: 16164
    thread_id: 17248
  channel: Microsoft-Windows-Bits-Client/Operational
  computer: WinDev2310Eval
  security:
    user_id: S-1-5-18
event_data:
  jobTitle: Chrome Component Updater
  jobId: 9A25D168-24E6-4C66-AC78-5ED0E6007F1A
  jobOwner: WINDEV2310EVAL\User
  processPath: C:\Program Files\WindowsApps\SpotifyAB.SpotifyMusic_1.222.982.0_x64__zpdnekdrzrea0\Spotify.exe
  processId: 2208
  ClientProcessStartKey: 3659174697241209
message: ''

Sigma Rules

• New BITS Job Created Via Bitsadmin
  Detects the creation of a new bits job by Bitsadmin
• New BITS Job Created Via PowerShell
  Detects the creation of a new bits job by PowerShell

References

• Example event sourced from https://github.com/NextronSystems/evtx-baseline

Message

The transfer job is complete.
User: %1
Transfer job: %2
Job ID: %3
Owner: %4
File count: %5

Fields

Example Event

system:
  provider: Microsoft-Windows-Bits-Client
  guid: EF1CC15B-46C1-414E-BB95-E76B077BD51E
  event_source_name: ''
  event_id: 4
  version: 1
  level: 4
  task: 0
  opcode: 0
  keywords: 4611686018427387904
  time_created: '2023-11-06T02:02:24.353689+00:00'
  event_record_id: 436
  correlation:
    ActivityID: E4DB489E-1037-0002-3588-E4E43710DA01
  execution:
    process_id: 16164
    thread_id: 5192
  channel: Microsoft-Windows-Bits-Client/Operational
  computer: WinDev2310Eval
  security:
    user_id: S-1-5-18
event_data:
  User: WINDEV2310EVAL\User
  jobTitle: Edge Component Updater
  jobId: 3C77FC9E-C30A-4FC3-804B-82E48B3059B6
  jobOwner: WINDEV2310EVAL\User
  fileCount: 1
  bytesTransferred: 201001
  bytesTransferredFromPeer: 0
message: ''

References

• Example event sourced from https://github.com/NextronSystems/evtx-baseline

Message

Job cancelled. User: %1, job: %2, jobID: %3, owner: %4, filecount: %5

Fields

Example Event

system:
  provider: Microsoft-Windows-Bits-Client
  guid: EF1CC15B-46C1-414E-BB95-E76B077BD51E
  event_source_name: ''
  event_id: 5
  version: 1
  level: 4
  task: 0
  opcode: 0
  keywords: 4611686018427387904
  time_created: '2023-10-25T21:23:18.455184+00:00'
  event_record_id: 20
  correlation:
    ActivityID: DE03B784-07C3-0003-32C2-03DEC307DA01
  execution:
    process_id: 4816
    thread_id: 4860
  channel: Microsoft-Windows-Bits-Client/Operational
  computer: WinDevEval
  security:
    user_id: S-1-5-19
event_data:
  User: NT AUTHORITY\LOCAL SERVICE
  jobTitle: Font Download
  jobId: BF87B9AA-D285-46CB-89FF-C6C111F0E4CB
  jobOwner: NT AUTHORITY\LOCAL SERVICE
  fileCount: 1
  processId: 2948
  ClientProcessStartKey: 562949953421373
message: ''

References

• Example event sourced from https://github.com/NextronSystems/evtx-baseline

Message

Command-line command set for job %1 with owner %2. Program: %3 Args: %4.

Fields

Example Event

system:
  provider: Microsoft-Windows-Bits-Client
  guid: EF1CC15B-46C1-414E-BB95-E76B077BD51E
  event_source_name: ''
  event_id: 6
  version: 0
  level: 4
  task: 0
  opcode: 0
  keywords: 4611686018427387904
  time_created: '2023-10-25T21:25:55.426533+00:00'
  event_record_id: 32
  correlation:
    ActivityID: DE03B784-07C3-0003-E610-04DEC307DA01
  execution:
    process_id: 4940
    thread_id: 5896
  channel: Microsoft-Windows-Bits-Client/Operational
  computer: WinDevEval
  security:
    user_id: S-1-5-18
event_data:
  jobId: F36CA3CE-3AEB-4592-B4ED-D23E59938DF9
  jobOwner: NT AUTHORITY\SYSTEM
  program: C:\Windows\system32\directxdatabaseupdater.exe
  parameters: C:\Windows\system32\directxdatabaseupdater.exe -DatabaseComplete {F36CA3CE-3AEB-4592-B4ED-D23E59938DF9}
message: ''

References

• Example event sourced from https://github.com/NextronSystems/evtx-baseline

Message

BITS started listening for peer-client requests.

Message

BITS was not able to listen for peer-client requests.  The error code was %1.  BITS jobs from other machines will not be able to use this machine as a peer server.  To fix this problem, try stopping the BITS service and restarting it.

Fields

Message

BITS stopped listening for peer-client requests.

Message

BITS started listening for peer-server announcements.

Message

BITS was not able to listen for peer-server announcements.  The error code was %1.  BITS jobs on this machine will not be able to use peer-caching.  To fix this problem, try stopping the BITS service and restarting it.

Fields

Message

BITS stopped listening for peer-server announcements.

Message

BITS has sent an inquiry for peer servers.

Message

BITS has read the policy parameters for peer-caching.

Fields

Message

The peer list rejected an incoming server announcement. This event is generated if the request is not valid, not if the server is merely in a different Windows domain.

Fields

Message

A new peer was added.

Fields

Message

A peer was updated.

Fields

Message

A peer was removed from the peer list.

Fields

Message

A cached peer was restored from disk.

Fields

Message

An application cleared the peer list.

Fields

Message

BITS has replied to a client's inquiry for peer servers.

Fields

Message

The server received a peer inquiry but rejected it.

Fields

Message

A peer search for an URL has begun.

Fields

Message

A peer search ended.

Fields

Message

A search request is being sent.

Fields

Message

A search request has completed.

Fields

Message

A search request has completed unsuccessfully.

Fields

Message

The peer's record %2 matched the request.

Fields

Message

BITS updated the set of IP addresses used for peer-caching.

Fields

Message

Job cannot be transferred because job transfer cost policy preventing it. job: %1, jobID: %2, filecount: %3, jobs transfer policy: %4, global transfer policy: %5.

Fields

Message

The cost state has changed.  NLM reports the following: 
Cost: %1
 Usage: %2 MB
 Cap: %3 MB
 Throttled: %4
 Overcap: %5
 Roaming: %6

The resultant BITS Cost state is : %7.

Fields

Message

BITS started the %2 transfer job that is associated with the %4 URL.

Fields

Example Event

system:
  provider: Microsoft-Windows-Bits-Client
  guid: EF1CC15B-46C1-414E-BB95-E76B077BD51E
  event_source_name: ''
  event_id: 59
  version: 1
  level: 4
  task: 0
  opcode: 1
  keywords: 4611686018427387904
  time_created: '2023-11-06T01:45:21.457190+00:00'
  event_record_id: 434
  correlation:
    ActivityID: 837C306A-427B-4022-ABDF-56DD359EB862
  execution:
    process_id: 16164
    thread_id: 12700
  channel: Microsoft-Windows-Bits-Client/Operational
  computer: WinDev2310Eval
  security:
    user_id: S-1-5-18
event_data:
  transferId: 837C306A-427B-4022-ABDF-56DD359EB862
  name: Chrome Component Updater
  Id: 9A25D168-24E6-4C66-AC78-5ED0E6007F1A
  url: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acwcdm4bj7lx4xbm2ireywxlhvca_4.10.2710.0/oimompecagnajdejgnnjijobebaeigek_4.10.2710.0_win64_adsurwm4gclupf32xdrpgdnapira.crx3
  peer: ''
  fileTime: '2023-09-22T20:52:50.000000Z'
  fileLength: 14317402
  bytesTotal: 14317402
  bytesTransferred: 0
  bytesTransferredFromPeer: 0
message: ''

References

• Example event sourced from https://github.com/NextronSystems/evtx-baseline

Message

BITS stopped transferring the %2 transfer job that is associated with the %4 URL. The status code is %6.

Fields

Example Event

system:
  provider: Microsoft-Windows-Bits-Client
  guid: EF1CC15B-46C1-414E-BB95-E76B077BD51E
  event_source_name: ''
  event_id: 60
  version: 1
  level: 4
  task: 0
  opcode: 2
  keywords: 4611686018427387904
  time_created: '2023-11-06T01:45:52.846707+00:00'
  event_record_id: 435
  correlation:
    ActivityID: 837C306A-427B-4022-ABDF-56DD359EB862
  execution:
    process_id: 16164
    thread_id: 12832
  channel: Microsoft-Windows-Bits-Client/Operational
  computer: WinDev2310Eval
  security:
    user_id: S-1-5-18
event_data:
  transferId: 837C306A-427B-4022-ABDF-56DD359EB862
  name: Chrome Component Updater
  Id: 9A25D168-24E6-4C66-AC78-5ED0E6007F1A
  url: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acwcdm4bj7lx4xbm2ireywxlhvca_4.10.2710.0/oimompecagnajdejgnnjijobebaeigek_4.10.2710.0_win64_adsurwm4gclupf32xdrpgdnapira.crx3
  peer: ''
  hr: 0
  fileTime: '2023-09-22T20:52:50.000000Z'
  fileLength: 14317402
  bytesTotal: 14317402
  bytesTransferred: 14317402
  proxy: ''
  peerProtocolFlags: 0
  bytesTransferredFromPeer: 0
  AdditionalInfoHr: 0
  PeerContextInfo: 0
  bandwidthLimit: 18446744073709551615
  ignoreBandwidthLimitsOnLan: false
message: ''

Community Notes

References

• Example event sourced from https://github.com/NextronSystems/evtx-baseline

Message

BITS stopped transferring the %2 transfer job that is associated with the %4 URL. The status code is %6.

Fields

Example Event

system:
  provider: Microsoft-Windows-Bits-Client
  guid: EF1CC15B-46C1-414E-BB95-E76B077BD51E
  event_source_name: ''
  event_id: 61
  version: 1
  level: 3
  task: 0
  opcode: 2
  keywords: 4611686018427387904
  time_created: '2023-10-25T21:23:18.535833+00:00'
  event_record_id: 25
  correlation:
    ActivityID: B93FF5C2-FB5D-428C-88AE-EE3A7EE94E1C
  execution:
    process_id: 4816
    thread_id: 2800
  channel: Microsoft-Windows-Bits-Client/Operational
  computer: WinDevEval
  security:
    user_id: S-1-5-18
event_data:
  transferId: B93FF5C2-FB5D-428C-88AE-EE3A7EE94E1C
  name: Font Download
  Id: 0732C691-11CC-4489-AA3A-006D80128165
  url: https://fs.microsoft.com/fs/windows/fontset-2017-04.json
  peer: ''
  hr: 2149580817
  fileTime: '1601-01-01T00:00:00.000000Z'
  fileLength: 18446744073709551615
  bytesTotal: 18446744073709551615
  bytesTransferred: 0
  proxy: ''
  peerProtocolFlags: 0
  bytesTransferredFromPeer: 0
  AdditionalInfoHr: 0
  PeerContextInfo: 0
  bandwidthLimit: 18446744073709551615
  ignoreBandwidthLimitsOnLan: false
message: ''

References

• Example event sourced from https://github.com/NextronSystems/evtx-baseline

Message

The BITS job named "%1" belonging to user %2 received inconsistent data while downloading. The URL was "%3". The transfer will continue using a different server.  If the problem occurs often, an administrator should scan the peer server for viruses or corruption in its hard drive.

Fields

Message

The BITS job %1 is configured to launch %3 after transfer of %2. The notification program returned error %4, BITS will continue to launch the program periodically until it succeeds.

Fields

Message

The BITS job %1 is configured to launch %3 after transfer of %2. The service failed to launch the program with error %4, BITS will continue trying to launch the program periodically until it succeeds.

Fields

Message

BITS received a peer-cache request from a client at address %1.

Fields

Message

The client's search request is for "%1" with timestamp %2.

Fields

Message

The cache found a matching cache record with ID %1.

Fields

Message

While processing the client's request, BITS encountered error %1.

Fields

Message

BITS rejected the client's request with HTTP status %1.

Fields

Message

BITS has finished processing the client request.

Message

The request includes the client's event-log activity ID.

Message

BITS search for peer-servers has started.

Message

BITS has encountered %1 error while reading the peer-cache information. BITS will now attempt to delete and re-create the peer-cache.

Fields

Message

BITS has successfully deleted the peer-cache. All the files cached until this point have been removed. The peer-cache will be re-created again as needed for handling the future requests.

Message

BITS has successfully enabled peer-client and/or peer-server related components.

Message

BITS has encountered %1 error while starting one or more peer-client or peer-server components.

Fields

Message

BITS accessed group policy value %1 : %2.

Fields

Message

BITS defaulted group policy value %1 : %2.

Fields

Message

The peer's response to a search was invalid.

Fields

Message

The file ranges associated with a transfer attempt

Fields

Message

While transferring %1, BITS encountered error %2 using %3 as the HTTP proxy server.  This may indicate a problem with the proxy server or with the client's network configuration.  If this error occurs frequently, then an administrator should investigate. Details: {Job: %4}, {owner: %5}, {jobid: %6}, {URL: %1}, {xferId: %7}, {proxyServerList: %8}, {hr: %2}.

Fields

Message

The BITS job named "%1" was unable to contact any HTTP proxy server in its proxy list.  This may indicate a problem with the proxy servers or with the client's network configuration.  An administrator should verify whether the proxy list is correct.  BITS will periodically try to transfer the job.  The HTTP proxy list is "%6".  The proxy-bypass list is "%7".

Fields

Message

While transferring %1, BITS encountered error %7 using %6 as the HTTP proxy server.  The web server or proxy server does not support an HTTP feature required by BITS.  This problem can only be corrected by the administrator of the web server or proxy server.  Details: {job: %1}, {owner: %2}, {jobId: %3}, {url: %4}, {xferId: %5}, {proxyServer: %6}, {hr: %7}, {urlContentLength: %8}, {urlHttpVersion: %9}, {urlRange: %10}

Fields

Message

The BITS service provided job credentials in response to an authentication challenge from the %1 server for the %2 transfer job that is associated with the following URL: %3.
The credentials were accepted.

Fields

Message

The BITS service provided job credentials in response to an authentication challenge from %1 for job %2, url %3. The credentials were rejected.

Fields

Message

A bandwidth slot transition occurred.

Fields

Message

The URL "%2" in BITS job "%1" does not support the HTTP HEAD verb, which is required for BITS bandwidth throttling. The URL will be downloaded without throttling.

Fields

Message

The URL "%2" in BITS job "%1" does not support the HTTP Content-Length header, which is required for BITS bandwidth throttling. The URL will be downloaded without throttling.

Fields

Message

A flash-Crowd situation is detected for the URL "%2" in BITS job "%1".

Fields

Message

High performance property for BITS job "%1" with ID "%2" %3.

Fields

Example Event

system:
  provider: Microsoft-Windows-Bits-Client
  guid: EF1CC15B-46C1-414E-BB95-E76B077BD51E
  event_source_name: ''
  event_id: 209
  version: 0
  level: 4
  task: 0
  opcode: 0
  keywords: 4611686018427387904
  time_created: '2023-11-05T22:27:06.012810+00:00'
  event_record_id: 121
  correlation:
    ActivityID: F590C418-1079-0000-98E3-90F57910DA01
  execution:
    process_id: 5620
    thread_id: 4004
  channel: Microsoft-Windows-Bits-Client/Operational
  computer: WinDev2310Eval
  security:
    user_id: S-1-5-18
event_data:
  jobName: Font Download
  jobId: 45827C8A-7310-400E-A51E-179189C5AC76
  isRoaming: 1
message: ''

References

• Example event sourced from https://github.com/NextronSystems/evtx-baseline

Message

The URL "%2" in BITS job "%1" does not support the HTTP Content-Range header, which is required for BITS bandwidth throttling. The URL will be downloaded without throttling.

Fields

Message

BITS job "%2" with ID "%1" encountered an error %3. %4

Fields

Message

BITS service has detected a '%1' system event

Fields

Message

Job is not currently transferring because one of its transfer policies conflicts with current system state. job: %1, jobID: %2, filecount: %3, block reason: %4.

Fields

Message

The service is generating its common global data.

Message

The service is reading its group policy settings.

Message

The service is creating its performance counters.

Message

The service is searching for gateway devices.

Message

The service is starting the peer-caching client.

Message

The service is starting the peer-caching server.

Message

The service is reading the job list from the disk.

Message

The service is updating its list of active network connections.

Message

The service is updating its list of logged-in users.

Message

The service is creating the Volume Shadow Copy writer.

Message

The service is registering its COM objects.

Message

The BITS service has started successfully.

Message

The BITS service has started successfully, but it was delayed long enough that there may be a problem. For more information on the delay, enable the analytic log for BITS, then stop and restart the BITS service.

Message

The peer-cache client startup phase of startup has completed.

Message

The service is shutting down.

Message

The service shutdown is complete.

Message

The BITS service loaded the job list from disk.

Example Event

system:
  provider: Microsoft-Windows-Bits-Client
  guid: EF1CC15B-46C1-414E-BB95-E76B077BD51E
  event_source_name: ''
  event_id: 306
  version: 0
  level: 5
  task: 0
  opcode: 0
  keywords: 4611686018427387904
  time_created: '2023-11-06T00:47:39.589942+00:00'
  event_record_id: 416
  correlation: {}
  execution:
    process_id: 16164
    thread_id: 16220
  channel: Microsoft-Windows-Bits-Client/Operational
  computer: WinDev2310Eval
  security:
    user_id: S-1-5-18
event_data: {}
message: ''

References

• Example event sourced from https://github.com/NextronSystems/evtx-baseline

Message

It took %1 seconds to write a change file to the BITS job list. If this is excessive, the number of BITS jobs may be larger than this machine can handle quickly.

Fields

Message

The BITS service shut down successfully, but it was delayed for %1 seconds. This might cause delays when you turn off your computer. For more information on the delay, enable the analytic log for BITS, then stop and restart the BITS service.

Fields

Example Event

system:
  provider: Microsoft-Windows-Bits-Client
  guid: EF1CC15B-46C1-414E-BB95-E76B077BD51E
  event_source_name: ''
  event_id: 308
  version: 0
  level: 3
  task: 0
  opcode: 0
  keywords: 4611686018427387904
  time_created: '2021-06-13T06:19:28.351119Z'
  event_record_id: 17
  correlation:
    '#attributes':
      ActivityID: 9E13646C-6014-0001-5C6E-139E1460D701
  execution:
    process_id: 1140
    thread_id: 356
  channel: Microsoft-Windows-Bits-Client/Operational
  computer: sv-dc.hinokabegakure-no-sato.local
  security:
    user_id: S-1-5-18
event_data:
  number: '3199.234'

References

• Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx

Message

The BITS peer cache was unable to find any peers in the network.

Message

The initialization of the peer helper modules failed with the following error:  %1.

Fields

Example Event

system:
  provider: Microsoft-Windows-Bits-Client
  guid: EF1CC15B-46C1-414E-BB95-E76B077BD51E
  event_source_name: ''
  event_id: 310
  version: 0
  level: 3
  task: 0
  opcode: 0
  keywords: 4611686018427387904
  time_created: '2023-11-06T00:48:24.805665+00:00'
  event_record_id: 419
  correlation: {}
  execution:
    process_id: 16164
    thread_id: 15644
  channel: Microsoft-Windows-Bits-Client/Operational
  computer: WinDev2310Eval
  security:
    user_id: S-1-5-18
event_data:
  ErrorCode: 2147942450
message: ''

References

• Example event sourced from https://github.com/NextronSystems/evtx-baseline

Message

The BITS peer transfer with the %1 ID for the %2 transfer job resulted in the following error: %4.

Fields

Message

The Network List Manager Cost Interface is not available on this system. (This is expected on Windows Server.)  BITS will not consider Transfer Policy when scheduling jobs.

Fields

Message

The Network List Manager Cost Interface is reporting no network connectivity. BITS will try to retrieve the network state again at a later time.

Fields

Message

The administrator %4 canceled job "%2" on behalf of %3.  The job ID was %1.

Fields

Message

While canceling job "%2", BITS was unable to remove some temporary files. To recover disk space, delete the files listed below.  The job ID was %1.  %3

Fields

Message

While canceling job "%2", BITS was unable to remove some temporary files. To recover disk space, delete the temporary files. Note: Due to space limitations, not all files are listed.  Check for additional files of the form BITxxx.TMP in the same directory.  The job ID was %1.  %3

Fields

Message

The administrator %3 modified the %4 property of job "%2".  The job ID was %1.

Fields

Message

The administrator %4 took ownership of job "%2" from %3.  The job ID was %1.

Fields

Message

Job "%2" owned by %3 was canceled after being inactive for more than %4 days.  The job ID was %1.

Fields

Message

Job "%2" owned by %3 failed to notify its associated application.  BITS will retry in %4 minutes.  The job ID was %1.

Fields

Message

The BITS job list is not in a recognized format.  It may have been created by a different version of BITS.  The job list has been cleared.

Message

The BITS service failed to start.  Error %1.

Fields

Message

BITS has encountered an error communicating with an Internet Gateway Device.  Please check that the device is functioning properly. BITS will not attempt to use this device until the next system reboot. Error code: %1.

Fields

Message

BITS Peer-caching protocol

Message

Web Services-Discovery protocol

Message

Error %3 occurred when BITS tried to change the state of firewall rule "%1" to %2.  Restarting the BITS service may correct the problem.

Fields

Message

The Per-user job limit (%2) specified through Group Policy must be less than or equal to Per-computer job Limit (%3).  To correct the problem, modify BITS Group Policy settings and restart the BITS service.

Fields

Message

A new BITS job could not be created. The current job count for the user %1 (%2) is equal to or greater than the job limit (%3) specified through group policy.  To correct the problem, complete or cancel the BITS jobs that haven't made progress by looking at the error, and restart the BITS service. If this error recurs, contact your system administrator and increate the per-user and per-computer Group Policy job limits.

Fields

Message

A new BITS job could not be created. The current job count for this computer (%2) is equal to or greater than the per-computer job limit (%3) specified through Group Policy.  To correct the problem, complete or cancel the BITS jobs that haven't made progress by looking at the error and restarting the BITS service. If this error recurs, contact your system administrator and increase the per-computer Group Policy job limits.

Fields

Message

BITS could not add file(s) to %1 job. The file count for %1 job (%2) has exceeded the per-job file limit (%3) specified through Group Policy.  To correct the problem, increase the Computer?s per-job file limit Group Policy settings and restart the BITS service.

Fields

Message

BITS could not add ranges to %1 file. The range count for %1 file (%2) has exceeded the per-file range limit (%3) specified through group policy.  To correct the problem, increase the per-file range limit Group Policy setting and restart the BITS service.

Fields

Fields

Example Event

system:
  provider: Microsoft-Windows-Bits-Client
  guid: EF1CC15B-46C1-414E-BB95-E76B077BD51E
  event_source_name: ''
  event_id: 16403
  version: 0
  level: 4
  task: 0
  opcode: 0
  keywords: 4611686018427387904
  time_created: '2023-11-06T01:45:21.024078+00:00'
  event_record_id: 433
  correlation:
    ActivityID: E4DB489E-1037-0002-3588-E4E43710DA01
  execution:
    process_id: 16164
    thread_id: 18264
  channel: Microsoft-Windows-Bits-Client/Operational
  computer: WinDev2310Eval
  security:
    user_id: S-1-5-21-1992711665-1655669231-58201500-1000
event_data:
  User: WINDEV2310EVAL\User
  jobTitle: Chrome Component Updater
  jobId: 9A25D168-24E6-4C66-AC78-5ED0E6007F1A
  jobOwner: WINDEV2310EVAL\User
  fileCount: 1
  RemoteName: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acwcdm4bj7lx4xbm2ireywxlhvca_4.10.2710.0/oimompecagnajdejgnnjijobebaeigek_4.10.2710.0_win64_adsurwm4gclupf32xdrpgdnapira.crx3
  LocalName: C:\Users\User\AppData\Local\Temp\chrome_BITS_2208_583787314\oimompecagnajdejgnnjijobebaeigek_4.10.2710.0_win64_adsurwm4gclupf32xdrpgdnapira.crx3
  processId: 2208
  ClientProcessStartKey: 3659174697241209
message: ''

Community Notes

Sigma Rules

• BITS Transfer Job Downloading File Potential Suspicious Extension
  Detects new BITS transfer job saving local files with potential suspicious extensions
• BITS Transfer Job Download From File Sharing Domains
  Detects BITS transfer job downloading files from a file sharing domain.
• BITS Transfer Job Download From Direct IP
  Detects a BITS transfer job downloading file(s) from a direct IP address.
• BITS Transfer Job With Uncommon Or Suspicious Remote TLD
  Detects a suspicious download using the BITS client from a FQDN that is unusual. Adversaries may abuse BITS jobs to persistently execute or clean up after malicious payloads.
• BITS Transfer Job Download To Potential Suspicious Folder
  Detects new BITS transfer job where the LocalName/Saved file is stored in a potentially suspicious location

References

• Example event sourced from https://github.com/NextronSystems/evtx-baseline

Message

The BITS service has detected an exception, Function: %1, Line: %2 Error code: %3.

Fields

Message

A bandwidth profile is not configured correctly. The value of a Group Policy setting is missing or is not within the allowed range. Make sure that you configure the Group Policy settings correctly, and then try again.

Fields

Message

The BITS service is configured to run as %1. BITS works correctly only when configured to run as the system account.

Fields