esentutl
ID: S0404
ⓘ
Associated Software: esentutl.exe
ⓘ
Type: TOOL
ⓘ
Platforms: Windows
Contributors: Edward Millington; Matthew Demaske, Adaptforward
Version: 1.3
Created: 03 September 2019
Last Modified: 28 September 2023
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1005 | Data from Local System |
esentutl can be used to collect data from local file systems.[2] |
|
| Enterprise | T1006 | Direct Volume Access |
esentutl can use the Volume Shadow Copy service to copy locked files such as |
|
| Enterprise | T1564 | .004 | Hide Artifacts: NTFS File Attributes |
esentutl can be used to read and write alternate data streams.[3] |
| Enterprise | T1105 | Ingress Tool Transfer | ||
| Enterprise | T1570 | Lateral Tool Transfer |
esentutl can be used to copy files to/from a remote share.[3] |
|
| Enterprise | T1003 | .003 | OS Credential Dumping: NTDS |
esentutl can copy |
Groups That Use This Software
References
- Microsoft. (2016, August 30). Esentutl. Retrieved September 3, 2019.
- Red Canary. (2021, March 31). 2021 Threat Detection Report. Retrieved August 31, 2021.
- LOLBAS. (n.d.). Esentutl.exe. Retrieved September 3, 2019.
- Cary, M. (2018, December 6). Locked File Access Using ESENTUTL.exe. Retrieved September 5, 2019.
- Jansen, W . (2021, January 12). Abusing cloud services to fly under the radar. Retrieved September 12, 2024.
- SOCRadar. (2024, January 24). Dark Web Profile: INC Ransom. Retrieved June 5, 2024.
- SentinelOne. (n.d.). What Is Inc. Ransomware?. Retrieved June 5, 2024.
- Matsuda, A., Muhammad I. (2018, September 13). APT10 Targeting Japanese Corporations Using Updated TTPs. Retrieved September 17, 2018.