Threat Hunt Deep Dives: Living Off the Land (LOTL) with Esentutl.exe
By Lee Archnial at Cyborg Security
In this Threat Hunt Deep Dive, we focus on the Living Off the Land Binary (LOTL) Esentutl.exe. Designed for running tasks and operations related to databases and database files, this executable can abuse the NTFS file attribute Alternate Data Streams (ADS). Using different techniques, threat actors can hide files in these streams to accomplish different goals such as tool infiltration and data exfiltration. Esentutl.exe also has the ability to extract the ntds.dit file from a Shadow Copy, which provides the attacker with information related to the Active Directory environment, to include usernames and password hashes. By combining these techniques together, the adversary can infiltrate the network, take what they want, and get keys to the kingdom using one tool.
Queries
1st Hunt Query:
Event_ID=4688 AND Process_Name=*esentutl.exe* AND (CommandLine=*/y* OR CommandLine=”*:*” OR CommandLine=”*/d*”)
2nd Hunt Query:
Event_ID=4688 AND Process_Name=*esentutl.exe* AND (CommandLine=*/y* OR CommandLine=*/p* OR CommandLine=*/vss* OR CommandLine=*/d*) AND (CommandLine=*AppData* OR CommandLine=*C:\Public* OR CommandLine=*C:\Users* OR CommandLine=*C:\Perflogs* OR CommandLine=*C:\Windows*)
3rd Detections Query:
Event_ID=4688 AND Process_Name=*esentutl.exe* AND CommandLine=*/vss* AND CommandLine=*ntds.dit
Commands
Extract NTDS.dit file:
esentutl.exe /y C:\Windows\NTDS\ntds.dit /d C:\[PathToSaveFile]
Hide a file in alternate data streams:
esentutl.exe /y C:\[PathToFileYouWantToHide] /d C:\[PathToFileYouAreHidingItIn]:[NameYourAlternateDataStream]
Extract a file:
esentutl.exe /y C:[PathToFileWithHiddenData]:[HiddenDataStream] /d C:\[PathWhereToSaveFile]
Powershell Command to view data streams:
Get-Item -path [PathToDirectory] -Streams *
Powershell Command to view content of hidden stream:
Get-Content C:[PathToFile] -stream [NameOfHiddenStream]
Execute .exe out of alternate data streams:
Invoke-CimMethod -ClassName Win32_Process -MethodName Create -Arguments @{CommandLine = C:\[PathToFile]}
References:
NTDS File cracking:
https://bond-o.medium.com/extracting-and-cracking-ntds-dit-2b266214f277
IRed.team:
https://www.ired.team/offensive-security/defense-evasion/t1096-alternate-data-streams
LOLBins:
https://lolbas-project.github.io/lolbas/Binaries/Esentutl/
Att&ck Mitre: