Windows
Esentutl.exeEsentutl.exe
Platform
Windows
Abuse functions
6
Mapped techniques
3
Description
Esentutl.exe is a Windows living-off-the-land binary catalogued by the LOLBAS Project. Documented abuse functions: Copy, ADS, Download. Mapped ATT&CK techniques (per LOLBAS / GTFOBins → MITRE crosswalk): T1105, T1564.004. Defenders should monitor execution of Esentutl.exe under non-administrative or sudo contexts and alert when its arguments match the abuse-function signatures.
Abuse functions· 6
CopyT1105
Copies files from A to B
ADST1564.004
Copy file and hide it in an alternate data stream as a defensive counter measure
ADST1564.004
Extract hidden file within alternate data streams
ADST1564.004
Copy file and hide it in an alternate data stream as a defensive counter measure
DownloadT1564.004
Use to copy files from one unc path to another
CopyT1003.003
Copy/extract a locked file such as the AD Database
MITRE ATT&CK techniques· 3
Uses3
| Type | Target | Confidence | Tier |
|---|---|---|---|
| Technique | Ingress Tool Transfert1105 | 100% | live |
| SubTechnique | NTDSt1003.003 | 100% | live |
| SubTechnique | NTFS File Attributest1564.004 | 100% | live |
Abuses2
| Type | Target | Confidence | Tier |
|---|---|---|---|
| SubTechnique | NTFS File Attributest1564.004 | 90% | live |
| Technique | Ingress Tool Transfert1105 | 85% | live |
Related by meaning· 6
Nearest entities by semantic similarity across the cs-graph corpus.