38 lines
970 B
YAML
38 lines
970 B
YAML
|
|
title: Esentutl Gather Credentials
|
|
author: sam0x90
|
|
date: 2021/08/06
|
|
description: Conti recommendation to its affiliates to use esentult to access NTDS
|
|
dumped file. Trickbot also uses this utilities to get MSEdge info via its module
|
|
pwgrab.
|
|
detection:
|
|
SELECTION_1:
|
|
EventID: 1
|
|
SELECTION_2:
|
|
CommandLine: '*esentutl*'
|
|
SELECTION_3:
|
|
CommandLine: '* /p*'
|
|
condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
|
|
falsepositives:
|
|
- To be determined
|
|
fields:
|
|
- User
|
|
- CommandLine
|
|
- ParentCommandLine
|
|
- CurrentDirectory
|
|
id: 7df1713a-1a5b-4a4b-a071-dc83b144a101
|
|
level: medium
|
|
logsource:
|
|
category: process_creation
|
|
product: windows
|
|
references:
|
|
- https://twitter.com/vxunderground/status/1423336151860002816
|
|
- https://attack.mitre.org/software/S0404/
|
|
- https://thedfirreport.com/2021/08/01/bazarcall-to-conti-ransomware-via-trickbot-and-cobalt-strike/
|
|
status: experimental
|
|
tags:
|
|
- attack.credential_access
|
|
- attack.t1003
|
|
- attack.t1003.003
|
|
ruletype: SIGMA
|