Esentutl Gather Credentials
Conti recommendation to its affiliates to use esentutl to access NTDS dumped file. Trickbot also uses this utilities to get MSEdge info via its module pwgrab.
Sigma rule (View on GitHub)
1title: Esentutl Gather Credentials
2id: 7df1713a-1a5b-4a4b-a071-dc83b144a101
3status: test
4description: Conti recommendation to its affiliates to use esentutl to access NTDS dumped file. Trickbot also uses this utilities to get MSEdge info via its module pwgrab.
5references:
6 - https://twitter.com/vxunderground/status/1423336151860002816
7 - https://thedfirreport.com/2021/08/01/bazarcall-to-conti-ransomware-via-trickbot-and-cobalt-strike/
8author: sam0x90
9date: 2021-08-06
10modified: 2022-10-09
11tags:
12 - attack.credential-access
13 - attack.t1003
14 - attack.t1003.003
15 - attack.s0404
16logsource:
17 category: process_creation
18 product: windows
19detection:
20 selection:
21 CommandLine|contains|all:
22 - 'esentutl'
23 - ' /p'
24 condition: selection
25fields:
26 - User
27 - CommandLine
28 - ParentCommandLine
29 - CurrentDirectory
30falsepositives:
31 - To be determined
32level: medium
References
-
Something went wrong, but don’t fret — let’s give it another shot. Some privacy related extensions may cause issues on x.com. Please disable them and try again.
Read More -
Intro This report will go through an intrusion that went from an Excel file to domain wide ransomware. The threat actors used BazarCall to install Trickbot in the environment which downloaded and e…
Read More
Related rules
- Shadow Copies Creation Using Operating Systems Utilities
- HackTool - Potential Remote Credential Dumping Activity Via CrackMapExec Or Impacket-Secretsdump
- Access To Crypto Currency Wallets By Uncommon Applications
- Credential Manager Access By Uncommon Applications
- Hacktool Execution - PE Metadata