Event ID 16403 —
Fields #
| Name | Description |
|---|---|
User UnicodeString | — |
jobTitle UnicodeString | — |
jobId GUID | — |
jobOwner UnicodeString | — |
fileCount UInt64 | — |
RemoteName UnicodeString | — |
LocalName UnicodeString | — |
processId UInt32 | — |
ClientProcessStartKey UInt64 | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Bits-Client",
"guid": "EF1CC15B-46C1-414E-BB95-E76B077BD51E",
"event_source_name": "",
"event_id": 16403,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 4611686018427387904,
"time_created": "2023-11-06T01:45:21.024078+00:00",
"event_record_id": 433,
"correlation": {
"ActivityID": "E4DB489E-1037-0002-3588-E4E43710DA01"
},
"execution": {
"process_id": 16164,
"thread_id": 18264
},
"channel": "Microsoft-Windows-Bits-Client/Operational",
"computer": "WinDev2310Eval",
"security": {
"user_id": "S-1-5-21-1992711665-1655669231-58201500-1000"
}
},
"event_data": {
"User": "WINDEV2310EVAL\\User",
"jobTitle": "Chrome Component Updater",
"jobId": "9A25D168-24E6-4C66-AC78-5ED0E6007F1A",
"jobOwner": "WINDEV2310EVAL\\User",
"fileCount": 1,
"RemoteName": "http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acwcdm4bj7lx4xbm2ireywxlhvca_4.10.2710.0/oimompecagnajdejgnnjijobebaeigek_4.10.2710.0_win64_adsurwm4gclupf32xdrpgdnapira.crx3",
"LocalName": "C:\\Users\\User\\AppData\\Local\\Temp\\chrome_BITS_2208_583787314\\oimompecagnajdejgnnjijobebaeigek_4.10.2710.0_win64_adsurwm4gclupf32xdrpgdnapira.crx3",
"processId": 2208,
"ClientProcessStartKey": 3659174697241209
},
"message": ""
}
Community Notes #
May indicate download/staging. See this Google Cloud post Back in a Bit: Attacker Use of the Windows Background Intelligent Transfer Service
Detection Rules #
View all rules referencing this event →
Sigma # view in reference
- BITS Transfer Job Downloading File Potential Suspicious Extension source medium: Detects new BITS transfer job saving local files with potential suspicious extensions
- BITS Transfer Job Download From File Sharing Domains source high: Detects BITS transfer job downloading files from a file sharing domain.
- BITS Transfer Job Download From Direct IP source high: Detects a BITS transfer job downloading file(s) from a direct IP address.
Show 2 more (5 total)
- BITS Transfer Job With Uncommon Or Suspicious Remote TLD source medium: Detects a suspicious download using the BITS client from a FQDN that is unusual. Adversaries may abuse BITS jobs to persistently execute or clean up after malicious payloads.
- BITS Transfer Job Download To Potential Suspicious Folder source high: Detects new BITS transfer job where the LocalName/Saved file is stored in a potentially suspicious location
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline