S0404 esentutl
esentutl is a command-line tool that provides database utilities for the Windows Extensible Storage Engine.1
| Item | Value |
|---|---|
| ID | S0404 |
| Associated Names | |
| Type | TOOL |
| Version | 1.2 |
| Created | 03 September 2019 |
| Last Modified | 01 October 2021 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1005 | Data from Local System | esentutl can be used to collect data from local file systems.4 |
| enterprise | T1564 | Hide Artifacts | - |
| enterprise | T1564.004 | NTFS File Attributes | esentutl can be used to read and write alternate data streams.2 |
| enterprise | T1105 | Ingress Tool Transfer | esentutl can be used to copy files from a given URL.2 |
| enterprise | T1570 | Lateral Tool Transfer | esentutl can be used to copy files to/from a remote share.2 |
| enterprise | T1003 | OS Credential Dumping | - |
| enterprise | T1003.003 | NTDS | esentutl can use Volume Shadow Copy to copy locked files such as ntds.dit.23 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0114 | Chimera | 5 |
| G0045 | menuPass | 6 |
References
-
Microsoft. (2016, August 30). Esentutl. Retrieved September 3, 2019. ↩
-
LOLBAS. (n.d.). Esentutl.exe. Retrieved September 3, 2019. ↩↩↩↩
-
Cary, M. (2018, December 6). Locked File Access Using ESENTUTL.exe. Retrieved September 5, 2019. ↩
-
Red Canary. (2021, March 31). 2021 Threat Detection Report. Retrieved August 31, 2021. ↩
-
Jansen, W . (2021, January 12). Abusing cloud services to fly under the radar. Retrieved January 19, 2021. ↩
-
Matsuda, A., Muhammad I. (2018, September 13). APT10 Targeting Japanese Corporations Using Updated TTPs. Retrieved September 17, 2018. ↩