Esentutl Gather Credentials
Conti recommendation to its affiliates to use esentutl to access NTDS dumped file. Trickbot also uses this utilities to get MSEdge info via its module pwgrab.
Sigma rule (View on GitHub)
1title: Esentutl Gather Credentials
2id: 7df1713a-1a5b-4a4b-a071-dc83b144a101
3status: test
4description: Conti recommendation to its affiliates to use esentutl to access NTDS dumped file. Trickbot also uses this utilities to get MSEdge info via its module pwgrab.
5references:
6 - https://twitter.com/vxunderground/status/1423336151860002816
7 - https://attack.mitre.org/software/S0404/
8 - https://thedfirreport.com/2021/08/01/bazarcall-to-conti-ransomware-via-trickbot-and-cobalt-strike/
9author: sam0x90
10date: 2021/08/06
11modified: 2022/10/09
12tags:
13 - attack.credential_access
14 - attack.t1003
15 - attack.t1003.003
16logsource:
17 category: process_creation
18 product: windows
19detection:
20 selection:
21 CommandLine|contains|all:
22 - 'esentutl'
23 - ' /p'
24 condition: selection
25fields:
26 - User
27 - CommandLine
28 - ParentCommandLine
29 - CurrentDirectory
30falsepositives:
31 - To be determined
32level: medium
References
-
-
Enterprise T1005 Data from Local System esentutl can be used to collect data from local file systems.[2] Enterprise T1006 Direct Volume Access esentutl can use the Volume Shadow Copy service to cop...
Read More -
This report will go through an intrusion that went from an Excel file to domain wide ransomware. The threat actors used BazarCall to install Trickbot in the environment which downloaded an executed a Cobalt Strike Beacon. A couple days later, the threat actors came back and executed Conti ransomware across the domain.
Read More
Related rules
- NTDSutil Pulling of NTDS.dit File
- PUA - DIT Snapshot Viewer
- Suspicious Reg Add Open Command
- Create Volume Shadow Copy with Powershell
- Linux Keylogging with Pam.d