mirror of
https://github.com/LOLBAS-Project/LOLBAS
synced 2025-07-27 12:42:19 +02:00
Wietze
GitHub
@@ -1,45 +1,45 @@
|
||||
---
|
||||
Name: Esentutl.exe
|
||||
Description: Binary for working with Microsoft Joint Engine Technology (JET) database
|
||||
Author: 'Oddvar Moe'
|
||||
Author: Oddvar Moe
|
||||
Created: 2018-05-25
|
||||
Commands:
|
||||
- Command: esentutl.exe /y C:\folder\sourcefile.vbs /d C:\folder\destfile.vbs /o
|
||||
- Command: esentutl.exe /y {PATH_ABSOLUTE:.source.vbs} /d {PATH_ABSOLUTE:.dest.vbs} /o
|
||||
Description: Copies the source VBS file to the destination VBS file.
|
||||
Usecase: Copies files from A to B
|
||||
Category: Copy
|
||||
Privileges: User
|
||||
MitreID: T1105
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
|
||||
- Command: esentutl.exe /y C:\ADS\file.exe /d c:\ADS\file.txt:file.exe /o
|
||||
- Command: esentutl.exe /y {PATH_ABSOLUTE:.exe} /d {PATH_ABSOLUTE}:file.exe /o
|
||||
Description: Copies the source EXE to an Alternate Data Stream (ADS) of the destination file.
|
||||
Usecase: Copy file and hide it in an alternate data stream as a defensive counter measure
|
||||
Category: ADS
|
||||
Privileges: User
|
||||
MitreID: T1564.004
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
|
||||
- Command: esentutl.exe /y C:\ADS\file.txt:file.exe /d c:\ADS\file.exe /o
|
||||
- Command: esentutl.exe /y {PATH_ABSOLUTE}:file.exe /d {PATH_ABSOLUTE:.exe} /o
|
||||
Description: Copies the source Alternate Data Stream (ADS) to the destination EXE.
|
||||
Usecase: Extract hidden file within alternate data streams
|
||||
Category: ADS
|
||||
Privileges: User
|
||||
MitreID: T1564.004
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
|
||||
- Command: esentutl.exe /y \\192.168.100.100\webdav\file.exe /d c:\ADS\file.txt:file.exe /o
|
||||
- Command: esentutl.exe /y {PATH_SMB:.exe} /d {PATH_ABSOLUTE}:file.exe /o
|
||||
Description: Copies the remote source EXE to the destination Alternate Data Stream (ADS) of the destination file.
|
||||
Usecase: Copy file and hide it in an alternate data stream as a defensive counter measure
|
||||
Category: ADS
|
||||
Privileges: User
|
||||
MitreID: T1564.004
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
|
||||
- Command: esentutl.exe /y \\live.sysinternals.com\tools\adrestore.exe /d \\otherwebdavserver\webdav\adrestore.exe /o
|
||||
- Command: esentutl.exe /y {PATH_SMB:.source.exe} /d {PATH_SMB:.dest.exe} /o
|
||||
Description: Copies the source EXE to the destination EXE file
|
||||
Usecase: Use to copy files from one unc path to another
|
||||
Category: Download
|
||||
Privileges: User
|
||||
MitreID: T1564.004
|
||||
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
|
||||
- Command: esentutl.exe /y /vss c:\windows\ntds\ntds.dit /d c:\folder\ntds.dit
|
||||
- Command: esentutl.exe /y /vss c:\windows\ntds\ntds.dit /d {PATH_ABSOLUTE:.dit}
|
||||
Description: Copies a (locked) file using Volume Shadow Copy
|
||||
Usecase: Copy/extract a locked file such as the AD Database
|
||||
Category: Copy
|
||||
@@ -49,8 +49,6 @@ Commands:
|
||||
Full_Path:
|
||||
- Path: C:\Windows\System32\esentutl.exe
|
||||
- Path: C:\Windows\SysWOW64\esentutl.exe
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- Sigma: https://github.com/SigmaHQ/sigma/blob/6312dd1d44d309608552105c334948f793e89f48/rules/windows/process_creation/proc_creation_win_esentutl_params.yml
|
||||
- Sigma: https://github.com/SigmaHQ/sigma/blob/6312dd1d44d309608552105c334948f793e89f48/rules/windows/process_creation/proc_creation_win_esentutl_webcache.yml
|
||||
|
||||
Reference in New Issue
Block a user