@port139 Blog

基本的にはデジタル・フォレンジックの技術について取り扱っていますが、記載内容には高確率で誤りが含まれる可能性があります。

Esentutl and File copy

Note:I translated Japanese into English using Google Translate.
Thank you, Google. 

FireEye has released a report on APT 10's TTPs. I was interested in the method using ESENTUTL tool. 

https://www.fireeye.com/blog/threat-research/2018/09/apt10-targeting-japanese-corporations-using-updated-ttps.html

3. The macro creates a copy of the files with their proper extensions using Extensible Storage Engine Utilities (esentutil.exe) with the following commands (esentutil.exe is also a legitimate program that is pre-installed in Windows):

C:\Windows\System32\esentutl.exe" /y C:\ProgramData\\GUP.txt /d C:\ProgramData\GUP.exe /o

 First, confirm HELP. the file name is very confusing. "i" is not included in the correct command.

f:id:hideakii:20180917193149p:plain

 In the macro, the following three options are specified.

Copy File: /y <source file> [options]
/d<file> - destination file (default: copy source file to current directory)
/o - suppress logo

f:id:hideakii:20180917200455p:plain

Let's copy the sample JPEG file.

f:id:hideakii:20180917193558p:plain

f:id:hideakii:20180917193814p:plain

When the ESENTUTL command creates an .EXE file, it should be noted.

f:id:hideakii:20180917195058p:plain

By the way, ESENTUTL contains the character string NT.
Recently, I was asked by young people "What is the meaning of NT?"
I like the story of Windows NT and David Cutler.

Verification environment: Windows 10 1083

Reference URL:

https://www.fireeye.com/blog/threat-research/2018/09/apt10-targeting-japanese-corporations-using-updated-ttps.html

 

f:id:hideakii:20180917192011j:plain