Day: October 25, 2021

Library Video

Threat Hunt Deep Dives Ep. 8 – Living Off the Land (LOTL) with Esentutl.exe

In this Threat Hunt Deep Dive, we focus on the Living Off the Land Binary (LOTL) Esentutl.exe. Designed for running tasks and operations related to databases and database files, this executable can abuse the NTFS file attribute Alternate Data Streams (ADS). Using different techniques, threat actors can hide files in these streams to accomplish different goals such as tool infiltration and data exfiltration. Esentutl.exe also has the ability to extract the ntds.dit file from a Shadow Copy, which provides the attacker with information related to the Active Directory environment, to include usernames and password hashes. By combining these techniques together, the adversary can infiltrate the network, take what they want, and get keys to the kingdom using one tool.

Read More »