This is a custom instance of the MITRE ATT&CK Website. The official website can be found at attack.mitre.org.
SOFTWARE
SOFTWARE
A-B
C-D
E-F
G-H
I-J
K-L
M-N
O-P
Q-R
S-T
U-V
W-X
esentutl
ID: S0404
ⓘ
Associated Software: esentutl.exe
ⓘ
Type: TOOL
ⓘ
Platforms: Windows
Contributors: Edward Millington; Matthew Demaske, Adaptforward
Version: 1.2
Created: 03 September 2019
Last Modified: 01 October 2021
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1005 | Data from Local System |
esentutl can be used to collect data from local file systems.[2] |
|
| Enterprise | T1564 | .004 | Hide Artifacts: NTFS File Attributes |
esentutl can be used to read and write alternate data streams.[3] |
| Enterprise | T1105 | Ingress Tool Transfer | ||
| Enterprise | T1570 | Lateral Tool Transfer |
esentutl can be used to copy files to/from a remote share.[3] |
|
| Enterprise | T1003 | .003 | OS Credential Dumping: NTDS |
esentutl can use Volume Shadow Copy to copy locked files such as ntds.dit.[3][4] |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0114 | Chimera | |
| G0045 | menuPass |
References
- Cary, M. (2018, December 6). Locked File Access Using ESENTUTL.exe. Retrieved September 5, 2019.
- Jansen, W . (2021, January 12). Abusing cloud services to fly under the radar. Retrieved January 19, 2021.
- Matsuda, A., Muhammad I. (2018, September 13). APT10 Targeting Japanese Corporations Using Updated TTPs. Retrieved September 17, 2018.
×