to be determined

t1003
t1003.003
windows
sigma

Techniques

t1003
t1003.003

Sample rules

Esentutl Gather Credentials

source: sigma
technicques:
- t1003
- t1003.003

Description

Conti recommendation to its affiliates to use esentutl to access NTDS dumped file. Trickbot also uses this utilities to get MSEdge info via its module pwgrab.

Detection logic

condition: selection
selection:
  CommandLine|contains|all:
  - esentutl
  - ' /p'