SOFTWARE
Arp
at
cmd
Dok
FTP
Net
Orz
Reg
RTM
Tor
yty
SOFTWARE
1-9
A-B
Arp
at
C-D
cmd
Dok
E-F
FTP
G-H
I-J
K-L
M-N
Net
O-P
Orz
Q-R
Reg
RTM
S-T
Tor
U-V
W-X
Y-Z
yty
  1. Home
  2. Software
  3. esentutl

esentutl

esentutl is a command-line tool that provides database utilities for the Windows Extensible Storage Engine.[1]

ID: S0404
Associated Software: esentutl.exe
Type: TOOL
Platforms: Windows
Contributors: Matthew Demaske, Adaptforward
Version: 1.0
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1003 Credential Dumping

esentutl can use Volume Shadow Copy to copy locked files such as ntds.dit.[2][3]
Enterprise T1096 NTFS File Attributes

esentutl can be used to read and write alternate data streams.[2]
Enterprise T1105 Remote File Copy

esentutl can be used to copy files from a remote host or download files from a given URL.[2]

Groups That Use This Software

ID Name References
G0045 menuPass [4]

References

  1. Microsoft. (2016, August 30). Esentutl. Retrieved September 3, 2019.
  2. LOLBAS. (n.d.). Esentutl.exe. Retrieved September 3, 2019.
  1. Cary, M.. (2018, December 6). Locked File Access Using ESENTUTL.exe. Retrieved September 5, 2019.
  2. Matsuda, A., Muhammad, I.. (2018, September 13). APT10 Targeting Japanese Corporations Using Updated TTPs. Retrieved April 22, 2019.