esentutl

esentutl is a command-line tool that provides database utilities for the Windows Extensible Storage Engine.[1]

ID: S0404
Associated Software: esentutl.exe
Type: TOOL
Platforms: Windows
Contributors: Matthew Demaske, Adaptforward
Version: 1.1
Created: 03 September 2019
Last Modified: 20 March 2020

Techniques Used

Domain ID Name Use
Enterprise T1564 .004 Hide Artifacts: NTFS File Attributes

esentutl can be used to read and write alternate data streams.[2]

Enterprise T1105 Ingress Tool Transfer

esentutl can be used to copy files to/from a given URL.[2]

Enterprise T1570 Lateral Tool Transfer

esentutl can be used to copy files to/from a remote share.[2]

Enterprise T1003 .003 OS Credential Dumping: NTDS

esentutl can use Volume Shadow Copy to copy locked files such as ntds.dit.[2][3]

Groups That Use This Software

ID Name References
G0045 menuPass

[4]

References