BITS-Client Event Log
WindowsPersistence MechanismsDisk ImageSIEM / Log Aggregator
Location
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Bits-Client%4Operational.evtxDescription
Background Intelligent Transfer Service client log capturing Event 59 (transfer initiated with full URL) and Event 60 (transfer completed with byte count). Supplements the qmgr.db database with timestamped event records.
Forensic Value
BITS-Client events provide timestamped evidence of file downloads that BITS jobs initiated, including the full remote URL and local destination path. Event 59 records the URL at transfer start, proving the download source for malicious payloads. Event 60 confirms successful completion with total bytes transferred. These events persist even after BITS job cleanup and complement qmgr.db analysis for complete BITS activity reconstruction.
Tools Required
KAPEEvtxECmd (Eric Zimmerman)Event Log ExplorerChainsaw
Collection Commands
KAPE
kape.exe --tsource C: --tdest C:\output --target EventLogs
EvtxECmd
EvtxECmd.exe -f "C:\Windows\System32\winevt\Logs\Microsoft-Windows-Bits-Client%4Operational.evtx" --csv C:\output --csvf BITSClient.csv
PowerShell
Get-WinEvent -FilterHashtable @{LogName="Microsoft-Windows-Bits-Client/Operational"; Id=59,60} | Export-Csv C:\output\bits_client_events.csvCollection Constraints
- •Availability, retention, and field coverage depend on the Windows release, SKU, per-host audit policy, and user activity. Treat absence as inconclusive unless you verified the feature was enabled.
- •Centralized log copies may normalize, truncate, or drop fields relative to the original on-host artifact. Preserve the local source when scope and access permit.
MITRE ATT&CK Techniques
T1197T1105