Skip to content
Reverse Engineering
Living off the Landintermediate

Esentutl File Copy

Attackers abuse the signed esentutl.exe to copy locked files via VSS or pull payloads from remote shares under a trusted Windows binary.

esentutl.exe is a signed, Microsoft-shipped utility for maintaining Extensible Storage Engine (ESE / "Jet Blue") databases — the format behind Active Directory's NTDS.dit, the Windows Search index, and other system stores. Beyond database repair, it exposes a copy mode (/y) that can read files other tools cannot, including via the Volume Shadow Copy Service (VSS). Attackers repurpose that capability to copy locked or sensitive files and to stage payloads, all under a trusted binary.

Two abuses dominate. First, copying a file that is normally locked — most notably NTDS.dit or registry hives — by sourcing it from a VSS snapshot path, which underpins offline credential extraction. Second, copying to or from a UNC/remote share, effectively using esentutl as a download or exfiltration tool that bypasses controls watching for certutil/bitsadmin. An analyst encounters it as a stealthy file mover: the signed binary does the I/O while the intent is in the source and destination paths.

How it works

The copy mode reads a source and writes a destination; with a shadow-copy source it captures locked files:

text
esentutl.exe /y \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\NTDS\ntds.dit /d C:\Users\Public\n.dit

The /y (copy) and /d (destination) switches drive the operation; the \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopyN\ prefix is the tell that the source is a VSS snapshot, letting esentutl read NTDS.dit while AD holds it open. A second pattern uses a \\host\share\ UNC source or destination to fetch a payload or push data off-box. Analysts should flag esentutl with /y, a GLOBALROOT/HarddiskVolumeShadowCopy path, a UNC source/destination, or any reference to ntds.dit/registry hives — none of which belong to routine database maintenance.

Detection & analysis

Static analysis:

  • There is rarely a malicious binary to reverse; the artefact is the command line and the copied file. Triage the command line with regex/YARA for /y//vss, GLOBALROOT, HarddiskVolumeShadowCopy, ntds.dit, SYSTEM/SECURITY hive names, and \\-prefixed UNC paths.
  • If a copied database lands on disk, identify it by ESE header magic and treat any out-of-place NTDS.dit or hive copy in a user-writable path as a credential-theft indicator.

Dynamic analysis:

  • In a sandbox or on a domain controller, watch whether esentutl.exe reads from a shadow-copy device path or a remote share, and where it writes. Legitimate maintenance operates on live local database files in their normal locations; VSS-sourced or UNC copies are anomalous.
  • Correlate with preceding shadow-copy creation (vssadmin/wmic shadowcopy/diskshadow) and with file-creation events for the destination, which together reveal the NTDS dumping chain.

Detection rule hint:

Alert on Sysmon Event ID 1 where Image ends with \esentutl.exe AND the command line contains /y, /vss, GLOBALROOT, HarddiskVolumeShadowCopy, ntds.dit, or a \\-prefixed UNC path. Raise severity when the parent is cmd.exe/powershell.exe on a domain controller, and correlate with a recent shadow-copy creation event and Sysmon Event ID 11 (file create) for the destination to confirm credential-access intent.

Votes

Comments(0)