```yaml title: Browser Credential Theft via Esentutl id: edr-win-cred-browser-esentutl status: stable description: > Detects esentutl.exe used to copy browser credential databases (Login Data, cookies, etc). Esentutl is a native Windows binary for Extensible Storage Engine operations. Threat actors use the /y (copy) and /d (destination) flags to duplicate locked browser databases for offline credential extraction. Observed in Akira, Qilin, and SocGholish intrusions. references: - https://www.huntress.com/blog/fake-browser-updates-lead-to-boinc-volunteer-computing-software - https://blog.talosintelligence.com/new-chaos-ransomware/ author: ShroudCloud date: 2026/04/14 modified: 2026/04/14 tags: - attack.credential_access - attack.t1555.003 logsource: category: process_creation product: windows detection: selection: Image|endswith: '\esentutl.exe' CommandLine|contains: - '/y' - '/d' - '/p' filter_forensic: ParentImage|endswith: '\AXIOMProcess.exe' condition: selection and not filter_forensic falsepositives: - Magnet AXIOM forensic processing - Legitimate ESE database maintenance (rare in user context) level: medium ```