Process
esentutl.exe
esentutl.exe is the Extensible Storage Engine maintenance utility, a tool for managing the ESE databases that Windows uses for Active Directory, Windows Search, certificates, and more. Administrators use it to defragment, repair, and recover those databases. Attackers use it for something else: copying locked files like the Active Directory database, and pulling files from remote locations, through a trusted signed binary.
File identity
Not observed.
Not observed.
Not observed.
Not observed.
Execution context
Not observed.
Not observed.
Not observed.
Not observed.
Not observed.
Not observed.
Ancestry
Not observed.
Not observed.
Not observed.
Not observed.
Behavior
Not observed.
Not observed.
Not observed.
Not observed.
esentutl.exe /y {PATH_ABSOLUTE:.source.vbs} /d {PATH_ABSOLUTE:.dest.vbs} /oCopy · Copies files from A to Besentutl.exe /y {PATH_ABSOLUTE:.exe} /d {PATH_ABSOLUTE}:file.exe /oADS · Copy file and hide it in an alternate data stream as a defensive counter measureesentutl.exe /y {PATH_ABSOLUTE}:file.exe /d {PATH_ABSOLUTE:.exe} /oADS · Extract hidden file within alternate data streamsesentutl.exe /y {PATH_SMB:.exe} /d {PATH_ABSOLUTE}:file.exe /oADS · Copy file and hide it in an alternate data stream as a defensive counter measureesentutl.exe /y {PATH_SMB:.source.exe} /d {PATH_SMB:.dest.exe} /oDownload · Use to copy files from one unc path to anotheresentutl.exe /y /vss c:\windows\ntds\ntds.dit /d {PATH_ABSOLUTE:.dit}Copy · Copy/extract a locked file such as the AD Database
Indicators
Not observed.
Analysis
esentutl.exe maintains databases built on the Extensible Storage Engine (ESE, also called Jet Blue), the embedded database format behind the Active Directory store (ntds.dit), the Windows Search index, the certificate database, and others. Its legitimate verbs handle database health: /d defragment, /p repair, /r recovery, /g integrity check, and /m dump. The genuine binary lives at C:\Windows\System32\esentutl.exe.
It also has a raw file-copy capability, /y, that can read a file even while another process holds it open, optionally going through a Volume Shadow Copy with /vss. That is genuinely useful for copying a live database during maintenance, but it is the same capability an attacker uses to grab files Windows normally keeps locked.
Legitimately, esentutl is run by administrators and by directory or backup tooling, infrequently and in a maintenance context. On an ordinary workstation it is uncommon. The verb and the files on its command line describe what an instance is doing.
esentutl.exe copies locked credential stores (T1003.003, T1003.002). The /y /vss combination copies a file that is locked while Windows runs: esentutl /y /vss C:\Windows\NTDS\ntds.dit /d C:\temp\ntds.dit on a domain controller lifts the entire Active Directory database (T1003.003), and the same trick copies the SAM and SYSTEM hives for local account hashes (T1003.002). A /y or /vss operation touching ntds.dit or the hive files is close to a confirmed credential-theft attempt.
The same copy verb also reads from remote and WebDAV paths, so esentutl can pull a payload off the internet under a trusted name (T1105). A remote or \\... source is out of place for a database tool.
In every case the binary is the genuine signed esentutl and the operation is a legitimate copy, so path and signature checks pass and even Microsoft-trusting application control allows it. The verb, the files, and the parent are what separate maintenance from theft.
- Image path other than
C:\Windows\System32\esentutl.exehigh /ywith/vsscopying a locked system filehigh- A source or destination referencing
ntds.dit,SAM,SYSTEM, orSECURITYhigh - A remote or WebDAV path (
\\...) on the command linehigh - Parent is
cmd.exe,powershell.exe, an Office application, or an unfamiliar processhigh - Run on a host with no database or maintenance rolemed
Telemetry
Not observed.
Not observed.