The sub-techniques beta is now live! Read the release blog post for more info.


esentutl is a command-line tool that provides database utilities for the Windows Extensible Storage Engine.[1]

ID: S0404
Associated Software: esentutl.exe
Type: TOOL
Platforms: Windows
Contributors: Matthew Demaske, Adaptforward
Version: 1.0
Created: 03 September 2019
Last Modified: 14 October 2019

Techniques Used

Domain ID Name Use
Enterprise T1003 Credential Dumping

esentutl can use Volume Shadow Copy to copy locked files such as ntds.dit.[2][3]

Enterprise T1096 NTFS File Attributes

esentutl can be used to read and write alternate data streams.[2]

Enterprise T1105 Remote File Copy

esentutl can be used to copy files from a remote host or download files from a given URL.[2]

Groups That Use This Software

ID Name References
G0045 menuPass [4]