Copying Sensitive Files with Credential Data

 1title: Copying Sensitive Files with Credential Data
 2id: e7be6119-fc37-43f0-ad4f-1f3f99be2f9f
 3status: test
 4description: Files with well-known filenames (sensitive files with credential data) copying
 5references:
 6    - https://room362.com/post/2013/2013-06-10-volume-shadow-copy-ntdsdit-domain-hashes-remotely-part-1/
 7    - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
 8    - https://dfironthemountain.wordpress.com/2018/12/06/locked-file-access-using-esentutl-exe/
 9    - https://github.com/LOLBAS-Project/LOLBAS/blob/2cc01b01132b5c304027a658c698ae09dd6a92bf/yml/OSBinaries/Esentutl.yml
10author: Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community
11date: 2019/10/22
12modified: 2024/06/04
13tags:
14    - attack.credential_access
15    - attack.t1003.002
16    - attack.t1003.003
17    - car.2013-07-001
18    - attack.s0404
19logsource:
20    category: process_creation
21    product: windows
22detection:
23    selection_esent_img:
24        - Image|endswith: '\esentutl.exe'
25        - OriginalFileName: '\esentutl.exe'
26    selection_esent_cli:
27        CommandLine|contains|windash:
28            - 'vss'
29            - ' /m '
30            - ' /y '
31    selection_susp_paths:
32        CommandLine|contains:
33            - '\config\RegBack\sam'
34            - '\config\RegBack\security'
35            - '\config\RegBack\system'
36            - '\config\sam'
37            - '\config\security'
38            - '\config\system '        # space needed to avoid false positives with \config\systemprofile\
39            - '\repair\sam'
40            - '\repair\security'
41            - '\repair\system'
42            - '\windows\ntds\ntds.dit'
43    condition: all of selection_esent_* or selection_susp_paths
44falsepositives:
45    - Copying sensitive files for legitimate use (eg. backup) or forensic investigation by legitimate incident responder or forensic investigator.
46level: high

References

• Volume Shadow Copy NTDS.dit Domain Hashes Remotely - Part 1

  This and part 2 are mostly just an update to http://pauldotcom.com/2011/11/safely-dumping-hashes-from-liv.html but without the need for VSSOwn, that and we are doing it remotely without the need for shell on the DC. Ever run into a Domain Controller that wasn’t allowed to talk to the Internet, had insane AV and GPOs not allowing anyone to RDP in (Even Domain Admins) unless they provided some kind of voodo happy dance? Ya me neither, but here is how you can still dump domain hashes and hash history if you run into that case.

  
  Read More

• Hunting for Credentials Dumping in Windows Environment

  

  Hunting for Credentials Dumping in Windows Environment - Download as a PDF or view online for free

  
  Read More

• Locked File Access Using ESENTUTL.exe

  

  I’m currently working on a solution to collect files off a live system to be used during some IR processes. I won’t go into any great detail but I’m limited to only using built-in…

  
  Read More

• LOLBAS/yml/OSBinaries/Esentutl.yml at 2cc01b01132b5c304027a658c698ae09dd6a92bf · LOLBAS-Project/LOLBAS

  

  Living Off The Land Binaries And Scripts - (LOLBins and LOLScripts) - LOLBAS-Project/LOLBAS

  
  Read More

Related rules

• Dumping of Sensitive Hives Via Reg.EXE
• Cred Dump Tools Dropped Files
• Shadow Copies Creation Using Operating Systems Utilities
• Possible Impacket SecretDump Remote Activity
• NTDS.DIT Creation By Uncommon Process