Esentutl Gather Credentials
Conti recommendation to its affiliates to use esentutl to access NTDS dumped file. Trickbot also uses this utilities to get MSEdge info via its module pwgrab.
Sigma rule (View on GitHub)
1title: Esentutl Gather Credentials
2id: 7df1713a-1a5b-4a4b-a071-dc83b144a101
3status: test
4description: Conti recommendation to its affiliates to use esentutl to access NTDS dumped file. Trickbot also uses this utilities to get MSEdge info via its module pwgrab.
5references:
6 - https://twitter.com/vxunderground/status/1423336151860002816
7 - https://attack.mitre.org/software/S0404/
8 - https://thedfirreport.com/2021/08/01/bazarcall-to-conti-ransomware-via-trickbot-and-cobalt-strike/
9author: sam0x90
10date: 2021-08-06
11modified: 2022-10-09
12tags:
13 - attack.credential-access
14 - attack.t1003
15 - attack.t1003.003
16logsource:
17 category: process_creation
18 product: windows
19detection:
20 selection:
21 CommandLine|contains|all:
22 - 'esentutl'
23 - ' /p'
24 condition: selection
25fields:
26 - User
27 - CommandLine
28 - ParentCommandLine
29 - CurrentDirectory
30falsepositives:
31 - To be determined
32level: medium
References
-
Enterprise T1005 Data from Local System esentutl can be used to collect data from local file systems.[2] Enterprise T1006 Direct Volume Access esentutl can use the Volume Shadow Copy service to cop...
Read More -
Intro This report will go through an intrusion that went from an Excel file to domain wide ransomware. The threat actors used BazarCall to install Trickbot in the environment which downloaded and e…
Read More
Related rules
- Shadow Copies Creation Using Operating Systems Utilities
- Access To Crypto Currency Wallets By Uncommon Applications
- Active Directory Database Snapshot Via ADExplorer
- Capture Credentials with Rpcping.exe
- Copying Sensitive Files with Credential Data