Skip to content

Hide Navigation Hide TOC

Esentutl Gather Credentials (7df1713a-1a5b-4a4b-a071-dc83b144a101)

Conti recommendation to its affiliates to use esentutl to access NTDS dumped file. Trickbot also uses this utilities to get MSEdge info via its module pwgrab.

Cluster A Galaxy A Cluster B Galaxy B Level
NTDS - T1003.003 (edf91964-b26e-4b4a-9600-ccacd7d7df24) Attack Pattern Esentutl Gather Credentials (7df1713a-1a5b-4a4b-a071-dc83b144a101) Sigma-Rules 1
Esentutl Gather Credentials (7df1713a-1a5b-4a4b-a071-dc83b144a101) Sigma-Rules OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22) Attack Pattern 1
NTDS - T1003.003 (edf91964-b26e-4b4a-9600-ccacd7d7df24) Attack Pattern OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22) Attack Pattern 2