Esentutl Gather Credentials

calendar Nov 24, 2025 · attack.credential-access attack.t1003 attack.t1003.003 attack.s0404  ·
Share on: linkedin copy

Conti recommendation to its affiliates to use esentutl to access NTDS dumped file. Trickbot also uses this utilities to get MSEdge info via its module pwgrab.

Sigma rule (View on GitHub)

 1title: Esentutl Gather Credentials
 2id: 7df1713a-1a5b-4a4b-a071-dc83b144a101
 3status: test
 4description: Conti recommendation to its affiliates to use esentutl to access NTDS dumped file. Trickbot also uses this utilities to get MSEdge info via its module pwgrab.
 5references:
 6    - https://twitter.com/vxunderground/status/1423336151860002816
 7    - https://thedfirreport.com/2021/08/01/bazarcall-to-conti-ransomware-via-trickbot-and-cobalt-strike/
 8author: sam0x90
 9date: 2021-08-06
10modified: 2022-10-09
11tags:
12    - attack.credential-access
13    - attack.t1003
14    - attack.t1003.003
15    - attack.s0404
16logsource:
17    category: process_creation
18    product: windows
19detection:
20    selection:
21        CommandLine|contains|all:
22            - 'esentutl'
23            - ' /p'
24    condition: selection
25falsepositives:
26    - To be determined
27level: medium

References

  • Something went wrong, but don’t fret — let’s give it another shot. Some privacy related extensions may cause issues on x.com. Please disable them and try again.


    Read More

  • BazarCall to Conti Ransomware via Trickbot and Cobalt Strike

    Intro This report will go through an intrusion that went from an Excel file to domain wide ransomware. The threat actors used BazarCall to install Trickbot in the environment which downloaded and e…


    Read More

Related rules

to-top