SOFTWARE
Aria-body
SOFTWARE
1-9
A-B
C-D
E-F
G-H
I-J
K-L
M-N
O-P
Q-R
S-T
U-V
W-X
Y-Z
  1. Home
  2. Software
  3. esentutl

esentutl

esentutl is a command-line tool that provides database utilities for the Windows Extensible Storage Engine.[1]

ID: S0404
Associated Software: esentutl.exe
Type: TOOL
Platforms: Windows
Contributors: Matthew Demaske, Adaptforward
Version: 1.1
Created: 03 September 2019
Last Modified: 20 March 2020
Version Permalink
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1564 .004 Hide Artifacts: NTFS File Attributes

esentutl can be used to read and write alternate data streams.[2]
Enterprise T1105 Ingress Tool Transfer

esentutl can be used to copy files to/from a given URL.[2]
Enterprise T1570 Lateral Tool Transfer

esentutl can be used to copy files to/from a remote share.[2]
Enterprise T1003 .003 OS Credential Dumping: NTDS

esentutl can use Volume Shadow Copy to copy locked files such as ntds.dit.[2][3]

Groups That Use This Software

ID Name References
G0045 menuPass

[4]
G0114 Chimera

[5]

References

  1. Microsoft. (2016, August 30). Esentutl. Retrieved September 3, 2019.
  2. LOLBAS. (n.d.). Esentutl.exe. Retrieved September 3, 2019.
  3. Cary, M.. (2018, December 6). Locked File Access Using ESENTUTL.exe. Retrieved September 5, 2019.
  1. Matsuda, A., Muhammad I. (2018, September 13). APT10 Targeting Japanese Corporations Using Updated TTPs. Retrieved September 17, 2018.
  2. Jansen, W . (2021, January 12). Abusing cloud services to fly under the radar. Retrieved January 19, 2021.