1. Home
  2. Software
  3. esentutl

esentutl

esentutl is a command-line tool that provides database utilities for the Windows Extensible Storage Engine.[1]

ID: S0404
Associated Software: esentutl.exe
Type: TOOL
Platforms: Windows
Contributors: Edward Millington; Matthew Demaske, Adaptforward
Version: 1.3
Created: 03 September 2019
Last Modified: 28 September 2023
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1005 从本地系统获取数据

esentutl can be used to collect data from local file systems.[2]
Enterprise T1003 .003 操作系统凭证转储: NTDS

esentutl can copy ntds.dit using the Volume Shadow Copy service.[3][4]
Enterprise T1570 横向工具传输

esentutl can be used to copy files to/from a remote share.[3]
Enterprise T1006 直接卷访问

esentutl can use the Volume Shadow Copy service to copy locked files such as ntds.dit.[3][4]
Enterprise T1105 输入工具传输

esentutl can be used to copy files from a given URL.[3]
Enterprise T1564 .004 隐藏伪装: NTFS File Attributes

esentutl can be used to read and write alternate data streams.[3]

Groups That Use This Software

ID Name References
G0114 Chimera

[5]
G1032 INC Ransom

[6][7]
G0045 menuPass

[8]

References

  1. Microsoft. (2016, August 30). Esentutl. Retrieved September 3, 2019.
  2. Red Canary. (2021, March 31). 2021 Threat Detection Report. Retrieved August 31, 2021.
  3. LOLBAS. (n.d.). Esentutl.exe. Retrieved September 3, 2019.
  4. Cary, M. (2018, December 6). Locked File Access Using ESENTUTL.exe. Retrieved September 5, 2019.
  1. Jansen, W . (2021, January 12). Abusing cloud services to fly under the radar. Retrieved September 12, 2024.
  2. SOCRadar. (2024, January 24). Dark Web Profile: INC Ransom. Retrieved June 5, 2024.
  3. SentinelOne. (n.d.). What Is Inc. Ransomware?. Retrieved June 5, 2024.
  4. Matsuda, A., Muhammad I. (2018, September 13). APT10 Targeting Japanese Corporations Using Updated TTPs. Retrieved September 17, 2018.