Skip to content

S0404 esentutl

esentutl is a command-line tool that provides database utilities for the Windows Extensible Storage Engine.1

Item Value
ID S0404
Associated Names
Type TOOL
Version 1.3
Created 03 September 2019
Last Modified 28 September 2023
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1005 Data from Local System esentutl can be used to collect data from local file systems.4
enterprise T1006 Direct Volume Access esentutl can use the Volume Shadow Copy service to copy locked files such as ntds.dit.32
enterprise T1564 Hide Artifacts -
enterprise T1564.004 NTFS File Attributes esentutl can be used to read and write alternate data streams.3
enterprise T1105 Ingress Tool Transfer esentutl can be used to copy files from a given URL.3
enterprise T1570 Lateral Tool Transfer esentutl can be used to copy files to/from a remote share.3
enterprise T1003 OS Credential Dumping -
enterprise T1003.003 NTDS esentutl can copy ntds.dit using the Volume Shadow Copy service.32

Groups That Use This Software

ID Name References
G0114 Chimera 5
G1032 INC Ransom 76
G0045 menuPass 8

References

  1. Microsoft. (2016, August 30). Esentutl. Retrieved September 3, 2019. 

  2. Cary, M. (2018, December 6). Locked File Access Using ESENTUTL.exe. Retrieved September 5, 2019. 

  3. LOLBAS. (n.d.). Esentutl.exe. Retrieved September 3, 2019. 

  4. Red Canary. (2021, March 31). 2021 Threat Detection Report. Retrieved August 31, 2021. 

  5. Jansen, W . (2021, January 12). Abusing cloud services to fly under the radar. Retrieved September 12, 2024. 

  6. SentinelOne. (n.d.). What Is Inc. Ransomware?. Retrieved June 5, 2024. 

  7. SOCRadar. (2024, January 24). Dark Web Profile: INC Ransom. Retrieved June 5, 2024. 

  8. Matsuda, A., Muhammad I. (2018, September 13). APT10 Targeting Japanese Corporations Using Updated TTPs. Retrieved September 17, 2018.